This seems to presume that "dkim2" is some creature completely apart
from DKIM. That is not at all clear, and it's not clear what is being
proposed is anything more than plain old DKIM with a few new tags and
some normative text surrounding them. I don't think that changes
anything wrt to DMARC as they have orthogonal goals.
We should definitely *not* be presuming that this is anything completely
different than DKIM, and frankly should stop calling it "dkim2" until
it's established that it is actually incompatible with DKIM. It hasn't
been. DKIMbis would be much more appropriate.
Mike, who obviously missed the meeting due to timezone confusion.
On 3/21/25 7:41 AM, Todd Herr wrote:
Colleagues,
I am of the belief that if and when DKIM2 reaches a state of
widespread adoption, there is no longer a need for Domain Owners
signing with DKIM2 to participate in DMARC, a belief I expressed
during the IETF 122 meeting. I did not hear consensus for my belief,
but I still don't understand the reasons that I might be in the weeds
on this, so I'm asking for further clarification here, perhaps in
small words so that I can better understand.
Let me preface my remarks here by saying that, as I am co-editor for
DMARCbis, it might be assumed that I'm trying to protect my turf by
asking this question, and that I'm pursuing some quest to wreck DKIM2
because of that. I assure you that nothing could be further from the
truth; rather, I'm interested in making the email ecosystem better by
whatever means make it better.
Here is what I currently understand to be true:
* DMARC provides the ability for a Domain Owner to request handling
for messages that fail email validation (SPF and DKIM) and to
receive reports about use of its domain
* DKIM2, as currently described, allows and even encourages
receivers to reject messages that fail DKIM2 validation
To my mind, such rejection removes the need for a Domain Owner to
express a preference, as the decision will be made independently of
any such preference. Moreover it removes the need for any kind of
reporting, as a Domain Owner will know from the rejections which
messages that it authorized failed to authenticate and presumably why,
and the Domain Owner will never see the rejections of unauthorized
messages that did not originate at the behest of the Domain Owner,
with the latter class of rejections being ones that the Domain Owner
wouldn't find actionable, anyway.
So, assuming a future world where a DKIM2 specification includes the
text "Mail Receivers SHOULD reject any message that fails DKIM2
validation" or similar, and DKIM2 is widely adopted by mailbox
providers and MTA vendors, I have some questions about that world:
* Why would a Mail Receiver accept a message that fails DKIM2
validation?
* Why would a Domain Owner publish a DMARC policy record when it's
sending mail that is DKIM2-signed?
* What would anyone hope to gain by issuing or consuming DMARC
reports showing messages that failed DKIM2 validation but were
accepted in spite of such failure?
Thanks, and safe travels back from Bangkok to those who were there in
person.
--
Todd Herr
Some Guy in VA LLC
t...@someguyinva.com
703-220-4153
Book Time With Me: https://calendar.app.google/tGDuDzbThBdTp3Wx8
_______________________________________________
Ietf-dkim mailing list --ietf-dkim@ietf.org
To unsubscribe send an email toietf-dkim-le...@ietf.org
_______________________________________________
Ietf-dkim mailing list -- ietf-dkim@ietf.org
To unsubscribe send an email to ietf-dkim-le...@ietf.org
