Best reason to run DKIM2 as a new protocol beside DKIM is that it will be testing HELL to suddenly change the Header with new Tags/Fields/Values, DKIM with elliptic curves instead of rsa signatures is a good example why "upgrading" fails hard for adopters of the update and I talked to enough people over the time that are scared to move because of this.
-- Tobias Herkula Senior Product Owner Mail Security Product Management Mail Transfer & Mail Security 1&1 Mail & Media GmbH ________________________________ From: Michael Thomas Sent: Friday, March 21, 2025 18:44 To: ietf-dkim@ietf.org Subject: [Ietf-dkim] Re: ELI5: DKIM2 and DMARC On 3/21/25 9:35 AM, Mark Alley wrote: On 3/21/2025 10:12 AM, Todd Herr wrote: On Fri, Mar 21, 2025 at 11:05 AM Mark Alley <mark.alley=40tekmarc....@dmarc.ietf.org<mailto:40tekmarc....@dmarc.ietf.org>> wrote: If Joe Schmoe, an email administrator, signs corporate mail with DKIM2 but have other mail streams that may not support it, or legacy systems incapable of using it, would not DMARC still be needed to apply/report to/for these other mailstreams in that scenario, or to protect from external entities trying to spoof the domain? I've perused the draft, and unless I'm missing text somewhere, I don't see where DKIM2 would fulfill the policy request for unauthenticated emails, unless you're saying that DKIM2 usage (or lack thereof) would be akin to ADSP-esque behavior in some way? I think you're describing a world where a Domain Owner authorizes some mail streams using DKIM2 and some mail streams using SPF/DKIM as is done today. Obviously DMARC has a place in the authentication of those latter streams, layered on top of SPF/DKIM as it is now, but that's not the world I'm thinking of here. I'm thinking instead of a world where "DKIM2" exists and is effectively the only authentication protocol and its specification says "Receivers SHOULD reject messages that fail DKIM2 validation". What role could DMARC play in *that* world? -- Todd Herr Some Guy in VA LLC t...@someguyinva.com<mailto:t...@someguyinva.com> 703-220-4153 Book Time With Me: https://calendar.app.google/tGDuDzbThBdTp3Wx8 ______________________________________ I see what you're getting at now. So, in this world, every MTA supports DKIM2 and it's the only authentication protocol in use... but: I think we can dispense with the notion some supposed DKIM2 displaces DKIM completely. That is never going to happen. It also presupposes that DKIM2 is new protocol and not an update to DKIM. That hasn't been decided either, and frankly I've seen no evidence that it would be necessary. In that case its overall relationship with DMARC wouldn't be any different than now. Hence "premature". Mike
_______________________________________________ Ietf-dkim mailing list -- ietf-dkim@ietf.org To unsubscribe send an email to ietf-dkim-le...@ietf.org
