If Joe Schmoe, an email administrator, signs corporate mail with DKIM2
but have other mail streams that may not support it, or legacy systems
incapable of using it, would not DMARC still be needed to apply/report
to/for these other mailstreams in that scenario, or to protect from
external entities trying to spoof the domain?
I've perused the draft, and unless I'm missing text somewhere, I don't
see where DKIM2 would fulfill the policy request for unauthenticated
emails, unless you're saying that DKIM2 usage (or lack thereof) would be
akin to ADSP-esque behavior in some way?
- Mark Alley
On 3/21/2025 9:41 AM, Todd Herr wrote:
Colleagues,
I am of the belief that if and when DKIM2 reaches a state of
widespread adoption, there is no longer a need for Domain Owners
signing with DKIM2 to participate in DMARC, a belief I expressed
during the IETF 122 meeting. I did not hear consensus for my belief,
but I still don't understand the reasons that I might be in the weeds
on this, so I'm asking for further clarification here, perhaps in
small words so that I can better understand.
Let me preface my remarks here by saying that, as I am co-editor for
DMARCbis, it might be assumed that I'm trying to protect my turf by
asking this question, and that I'm pursuing some quest to wreck DKIM2
because of that. I assure you that nothing could be further from the
truth; rather, I'm interested in making the email ecosystem better by
whatever means make it better.
Here is what I currently understand to be true:
* DMARC provides the ability for a Domain Owner to request handling
for messages that fail email validation (SPF and DKIM) and to
receive reports about use of its domain
* DKIM2, as currently described, allows and even encourages
receivers to reject messages that fail DKIM2 validation
To my mind, such rejection removes the need for a Domain Owner to
express a preference, as the decision will be made independently of
any such preference. Moreover it removes the need for any kind of
reporting, as a Domain Owner will know from the rejections which
messages that it authorized failed to authenticate and presumably why,
and the Domain Owner will never see the rejections of unauthorized
messages that did not originate at the behest of the Domain Owner,
with the latter class of rejections being ones that the Domain Owner
wouldn't find actionable, anyway.
So, assuming a future world where a DKIM2 specification includes the
text "Mail Receivers SHOULD reject any message that fails DKIM2
validation" or similar, and DKIM2 is widely adopted by mailbox
providers and MTA vendors, I have some questions about that world:
* Why would a Mail Receiver accept a message that fails DKIM2
validation?
* Why would a Domain Owner publish a DMARC policy record when it's
sending mail that is DKIM2-signed?
* What would anyone hope to gain by issuing or consuming DMARC
reports showing messages that failed DKIM2 validation but were
accepted in spite of such failure?
Thanks, and safe travels back from Bangkok to those who were there in
person.
--
Todd Herr
Some Guy in VA LLC
t...@someguyinva.com
703-220-4153
Book Time With Me: https://calendar.app.google/tGDuDzbThBdTp3Wx8
_______________________________________________
Ietf-dkim mailing list --ietf-dkim@ietf.org
To unsubscribe send an email toietf-dkim-le...@ietf.org
_______________________________________________
Ietf-dkim mailing list -- ietf-dkim@ietf.org
To unsubscribe send an email to ietf-dkim-le...@ietf.org
