On Fri, Mar 21, 2025 at 9:41 AM Todd Herr <todd=40someguyinva....@dmarc.ietf.org> wrote:
> Here is what I currently understand to be true: > > DMARC provides the ability for a Domain Owner to request handling for > messages that fail email validation (SPF and DKIM) and to receive reports > about use of its domain > DKIM2, as currently described, allows and even encourages receivers to reject > messages that fail DKIM2 validation DMARC also provides the ability for reporting on messages spoofing the domain owner's domain without aligned authentication, no? Does DKIM2 allow for that somehow? > Moreover it removes the need for any kind of reporting, as a Domain Owner > will know from the rejections which messages that it authorized failed to > authenticate and presumably why, and the Domain Owner will never see the > rejections of unauthorized messages that did not originate at the behest of > the Domain Owner, with the latter class of rejections being ones that the > Domain Owner wouldn't find actionable, anyway. I think the assumption here that I don't agree with is that reporting about the forged mail has to be specifically "actionable" to be useful. > So, assuming a future world where a DKIM2 specification includes the text > "Mail Receivers SHOULD reject any message that fails DKIM2 validation" or > similar, and DKIM2 is widely adopted by mailbox providers and MTA vendors, I > have some questions about that world: > > Why would a Mail Receiver accept a message that fails DKIM2 validation? Why does a domain owner or mail platform accept a message that fails DMARC today? > Why would a Domain Owner publish a DMARC policy record when it's sending mail > that is DKIM2-signed? To gain insight into unauthenticated mail attempts being initiated by third parties. > What would anyone hope to gain by issuing or consuming DMARC reports showing > messages that failed DKIM2 validation but were accepted in spite of such > failure? Use case: showing reporting on messages that failed but were accepted in spite of failure can help to measure the amount of mail one is allowing to bypass authentication checks and can be useful to calculate the ongoing risk of doing so, and to identify potential shadow IT infrastructure that needs to be upgraded or replaced. But DMARC reports don't /only/ show failed-but-accepted messages. If this use case is invalidated (is it? I don't quite understand why it would be invalidated), others still exist. TL;DR, DKIM2 w/o DMARC leaves what I think would be reporting gaps that I think IT/security people might not want to lose insight into. Cheers, Al Iverson _______________________________________________ Ietf-dkim mailing list -- ietf-dkim@ietf.org To unsubscribe send an email to ietf-dkim-le...@ietf.org
