On Sun, Mar 23, 2025 at 2:24 PM Al Iverson <al.iverson= 40valimail....@dmarc.ietf.org> wrote:
> On Fri, Mar 21, 2025 at 9:41 AM Todd Herr > <todd=40someguyinva....@dmarc.ietf.org> wrote: > > > Here is what I currently understand to be true: > > > > DMARC provides the ability for a Domain Owner to request handling for > messages that fail email validation (SPF and DKIM) and to receive reports > about use of its domain > > DKIM2, as currently described, allows and even encourages receivers to > reject messages that fail DKIM2 validation > > DMARC also provides the ability for reporting on messages spoofing the > domain owner's domain without aligned authentication, no? > Does DKIM2 allow for that somehow? > Wrapped up in my "DMARC provides the ability for a Domain Owner ... to receive reports about use of its domain" is the reporting about messages spoofing the domain. > > > Moreover it removes the need for any kind of reporting, as a Domain > Owner will know from the rejections which messages that it authorized > failed to authenticate and presumably why, and the Domain Owner will never > see the rejections of unauthorized messages that did not originate at the > behest of the Domain Owner, with the latter class of rejections being ones > that the Domain Owner wouldn't find actionable, anyway. > > I think the assumption here that I don't agree with is that reporting > about the forged mail has to be specifically "actionable" to be > useful. You lose me here, because I don't see the point of reporting unless it's somehow actionable. To my mind, a report that X is using my domain does me no good unless there's enough in the report for me to attempt to take action to stop X from using my domain. > > So, assuming a future world where a DKIM2 specification includes the text > "Mail Receivers SHOULD reject any message that fails DKIM2 validation" or > similar, and DKIM2 is widely adopted by mailbox providers and MTA vendors, > I have some questions about that world: > > > > Why would a Mail Receiver accept a message that fails DKIM2 validation? > > Why does a domain owner or mail platform accept a message that fails > DMARC today? > Local policy, I assume. However, the DKIM2 model currently being discussed is one where a DKIM2 failure means that rejecting the message is likely to be the most (and perhaps only) prudent decision for the validator. That rejection, according to the current model being discussed, should then wend its way back through all hops that handled the message and eventually to the originator. If the originator is the Domain Owner, then the Domain Owner is aware of an authentication shortcoming to be addressed. If the originator is not the Domain Owner, the unauthorized use of the domain has been prevented by the rejection. > > Why would a Domain Owner publish a DMARC policy record when it's sending > mail that is DKIM2-signed? > > To gain insight into unauthenticated mail attempts being initiated by > third parties. > > To what end, though? What good is "insight" without any way to fix the problem or stop the abuse? > > What would anyone hope to gain by issuing or consuming DMARC reports > showing messages that failed DKIM2 validation but were accepted in spite of > such failure? > > Use case: showing reporting on messages that failed but were accepted > in spite of failure can help to measure the amount of mail one is > allowing to bypass authentication checks and can be useful to > calculate the ongoing risk of doing so, and to identify potential > shadow IT infrastructure that needs to be upgraded or replaced. > > But DMARC reports don't /only/ show failed-but-accepted messages. If > this use case is invalidated (is it? I don't quite understand why it > would be invalidated), others still exist. > > TL;DR, DKIM2 w/o DMARC leaves what I think would be reporting gaps > that I think IT/security people might not want to lose insight into. > > And I claim that the rejections of the messages as per the current DKIM2 model being discussed render reporting unnecessary. -- Todd Herr Some Guy in VA LLC t...@someguyinva.com 703-220-4153 Book Time With Me: https://calendar.app.google/tGDuDzbThBdTp3Wx8
_______________________________________________ Ietf-dkim mailing list -- ietf-dkim@ietf.org To unsubscribe send an email to ietf-dkim-le...@ietf.org
