If a message appears at my doorstep with: 5321.From: t...@herr.net<mailto:t...@herr.net> 5322.From: toddh...@isp.net<mailto:toddh...@isp.net> DKIM2 d=: intermediary.net
And the DKIM2 fails, then what should I do? Reject it back to the (malicious?) sending host, who has no relationship to any of the domains above. So, where does it go after that? If the DKIM2 is broken, should the bounce go farther (if it even can)? Should I want to tell isp.net that someone appears to be trying to impersonate them? In a DKIM2 world, should they care? Another scenario could be that someone is using a new ESP without authorization from the corporate structure. I realize that’s a corporate governance thing, and that’s not an IETF role, though DMARC reports would give them visibility (pass or fail). -- Alex Brotman Sr. Engineer, Anti-Abuse & Messaging Policy Comcast From: Todd Herr <todd=40someguyinva....@dmarc.ietf.org> Sent: Friday, March 21, 2025 10:41 AM To: ietf-dkim@ietf.org Subject: [Ietf-dkim] ELI5: DKIM2 and DMARC Colleagues, I am of the belief that if and when DKIM2 reaches a state of widespread adoption, there is no longer a need for Domain Owners signing with DKIM2 to participate in DMARC, a belief I expressed during the IETF 122 meeting. I did not hear consensus for my belief, but I still don't understand the reasons that I might be in the weeds on this, so I'm asking for further clarification here, perhaps in small words so that I can better understand. Let me preface my remarks here by saying that, as I am co-editor for DMARCbis, it might be assumed that I'm trying to protect my turf by asking this question, and that I'm pursuing some quest to wreck DKIM2 because of that. I assure you that nothing could be further from the truth; rather, I'm interested in making the email ecosystem better by whatever means make it better. Here is what I currently understand to be true: * DMARC provides the ability for a Domain Owner to request handling for messages that fail email validation (SPF and DKIM) and to receive reports about use of its domain * DKIM2, as currently described, allows and even encourages receivers to reject messages that fail DKIM2 validation To my mind, such rejection removes the need for a Domain Owner to express a preference, as the decision will be made independently of any such preference. Moreover it removes the need for any kind of reporting, as a Domain Owner will know from the rejections which messages that it authorized failed to authenticate and presumably why, and the Domain Owner will never see the rejections of unauthorized messages that did not originate at the behest of the Domain Owner, with the latter class of rejections being ones that the Domain Owner wouldn't find actionable, anyway. So, assuming a future world where a DKIM2 specification includes the text "Mail Receivers SHOULD reject any message that fails DKIM2 validation" or similar, and DKIM2 is widely adopted by mailbox providers and MTA vendors, I have some questions about that world: * Why would a Mail Receiver accept a message that fails DKIM2 validation? * Why would a Domain Owner publish a DMARC policy record when it's sending mail that is DKIM2-signed? * What would anyone hope to gain by issuing or consuming DMARC reports showing messages that failed DKIM2 validation but were accepted in spite of such failure? Thanks, and safe travels back from Bangkok to those who were there in person. -- Todd Herr Some Guy in VA LLC t...@someguyinva.com<mailto:t...@someguyinva.com> 703-220-4153 Book Time With Me: https://calendar.app.google/tGDuDzbThBdTp3Wx8<https://urldefense.com/v3/__https:/calendar.app.google/tGDuDzbThBdTp3Wx8__;!!CQl3mcHX2A!F8B3F2f9LQiS6UWRWHQl-XS3br5xSfRibZwn-98M2FGvFdBZ_fOZVCQ-KoRmR3_WFLZLYeWdSSx8AR9TEw-K98lfVNnBiSQKG7Q$>
_______________________________________________ Ietf-dkim mailing list -- ietf-dkim@ietf.org To unsubscribe send an email to ietf-dkim-le...@ietf.org
