My personal take: DKIM2 is an authentication mechanism. I think it would be difficult to justify an authentication protocol dictating how systems should handle messages that do not pass authentication checks. Local policy may indeed evolve to state that DKIM2 unauthenticated == reject at some point in the future.
Because handling of unauthenticated messages is still subject to local policy, I don't think DKIM2 changes the value of a DMARC policy very much. Domain owners can still use this policy to request that receivers apply some treatment to mail purporting to come from their domain that is not authenticated with domain alignment. Local policy on the receiving system may render this request redundant, but that's already true today. I don't have much familiarity with the reporting side of DMARC. Reports seem like they would still be applicable, with DKIM2 results reported alongside other authentication mechanisms. On Fri, Mar 21, 2025 at 12:36 PM Mark Alley <mark.alley= 40tekmarc....@dmarc.ietf.org> wrote: > On 3/21/2025 10:12 AM, Todd Herr wrote: > > On Fri, Mar 21, 2025 at 11:05 AM Mark Alley <mark.alley= > 40tekmarc....@dmarc.ietf.org> wrote: > >> If Joe Schmoe, an email administrator, signs corporate mail with DKIM2 >> but have other mail streams that may not support it, or legacy systems >> incapable of using it, would not DMARC still be needed to apply/report >> to/for these other mailstreams in that scenario, or to protect from >> external entities trying to spoof the domain? >> >> I've perused the draft, and unless I'm missing text somewhere, I don't >> see where DKIM2 would fulfill the policy request for unauthenticated >> emails, unless you're saying that DKIM2 usage (or lack thereof) would be >> akin to ADSP-esque behavior in some way? >> > > I think you're describing a world where a Domain Owner authorizes some > mail streams using DKIM2 and some mail streams using SPF/DKIM as is done > today. Obviously DMARC has a place in the authentication of those latter > streams, layered on top of SPF/DKIM as it is now, but that's not the world > I'm thinking of here. > > I'm thinking instead of a world where "DKIM2" exists and is effectively > the only authentication protocol and its specification says "Receivers > SHOULD reject messages that fail DKIM2 validation". > > What role could DMARC play in *that* world? > > -- > Todd Herr > Some Guy in VA LLC > t...@someguyinva.com > 703-220-4153 <(703)%20220-4153> > Book Time With Me: https://calendar.app.google/tGDuDzbThBdTp3Wx8 > > ______________________________________ > > I see what you're getting at now. > > So, in this world, every MTA supports DKIM2 and it's the only > authentication protocol in use... but: > > - what would happen if someone intentionally made an MTA that did not > use it? > - would mail from this system be reported on (via FBLs) by mail > providers supporting DKIM2-auth only? > - would it be delivered or rejected? > - Is the lack of DKIM2 usage in this world the same as "failing DKIM2"? > > In an ideal state and vacuum, I am led to a similar initial thought that > it *might *seem DKIM2 could make DMARC redundant given the right > scenario, but I partially agree with Mike; it's somewhat difficult to > postulate and ponder without more clarity on the protocol. > > - Mark Alley > > _______________________________________________ > Ietf-dkim mailing list -- ietf-dkim@ietf.org > To unsubscribe send an email to ietf-dkim-le...@ietf.org >
_______________________________________________ Ietf-dkim mailing list -- ietf-dkim@ietf.org To unsubscribe send an email to ietf-dkim-le...@ietf.org
