[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On Mon 24/Mar/2025 20:19:29 +0100 Richard Clayton wrote: In message , Alessandro Vesely writes BTW, is dkim2=fail different from "failing DKIM2 signatures from a 100% DKIM2 mail chain"? I mean, do verifiers always check all the signatures along the chain or can sometimes check just the last

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On 3/24/2025 8:05 AM, Murray S. Kucherawy wrote: I agree that such a world is possible -- I mean, anything is possible -- but I would really like such a change to come from below rather than above. +10. -- Dave Crocker Brandenburg InternetWorking bbiw.net bluesky: @dcrocker.bsky.social mast:

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

This seems to presume that "dkim2" is some creature completely apart from DKIM. That is not at all clear, and it's not clear what is being proposed is anything more than plain old DKIM with a few new tags and some normative text surrounding them. I don't think that changes anything wrt to DMARC

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On 3/21/25 8:30 AM, Todd Herr wrote: On Fri, Mar 21, 2025 at 11:17 AM Michael Thomas wrote: I really don't know why we should presume it's something completely different wrt DMARC. Why would it be? I'm not really sure what the point is of bringing it up at this point in any c

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In message , Allen Robinson writes >DKIM2 is an authentication mechanism. I think it would be difficult to >justify an authentication protocol dictating how systems should handle >messages that do not pass authentication checks. Local policy may inde

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On 3/27/25 10:59 AM, Steffen Nurpmeso wrote: Michael Thomas wrote in <94158f8a-1578-4d52-8f9f-15635579f...@mtcc.com>: |For all of the changes, I'd think that the right thing to do is run spam |filters on the changed text with the reputation (if any) of the modifier |in mind. Obviousl

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

Ah, sigh, one more. Michael Thomas wrote in <94158f8a-1578-4d52-8f9f-15635579f...@mtcc.com>: |On 3/26/25 11:13 AM, Alessandro Vesely wrote: |>> If you want to do forensics you can check more, but that's all that a |>> receiver is likely to care about. |> |> It ought to be not very hard to c

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On 3/27/25 10:35 AM, Steffen Nurpmeso wrote: Michael Thomas wrote in <9fa3835f-4991-4fa9-b6e2-1859aa66e...@mtcc.com>: |On 3/26/25 12:09 PM, Richard Clayton wrote: |> It's not a question of hardness -- if you check more signatures than you |> need to then you are heating up the planet unn

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On Mon 24/Mar/2025 19:21:23 +0100 Murray S. Kucherawy wrote: On Mon, Mar 24, 2025 at 10:53 AM Michael Thomas wrote: Out of curiosity would, say, a mailing list that breaks the original signature but signs on the mailing list's behalf count as "signed"? At some level DKIM is about taking respo

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On Wed 26/Mar/2025 20:09:33 +0100 Richard Clayton wrote: In message , Alessandro Vesely writes On Mon 24/Mar/2025 20:19:29 +0100 Richard Clayton wrote: Of course, If I trust the signer of the last signature, it would be fine to check only that. Bat that would be too similar to ARC... you

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On 3/26/25 12:09 PM, Richard Clayton wrote: It's not a question of hardness -- if you check more signatures than you need to then you are heating up the planet unnecessarily. Can we please dispense with this pointless imagery? RSA verifies are trivial and have been for 20 years. If you want

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On 3/26/25 11:13 AM, Alessandro Vesely wrote: If you want to do forensics you can check more, but that's all that a receiver is likely to care about. It ought to be not very hard to check all signatures, reversing the changes. There needs to be a way to tell what changes are tolerated.  For

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In message , Alessandro Vesely writes >On Mon 24/Mar/2025 20:19:29 +0100 Richard Clayton wrote: >> In message , Alessandro Vesely > writes >> >>>BTW, is dkim2=fail different from "failing DKIM2 signatures from a 100% >>>DKIM2 >>>mail chain"? I me

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

If Joe Schmoe, an email administrator, signs corporate mail with DKIM2 but have other mail streams that may not support it, or legacy systems incapable of using it, would not DMARC still be needed to apply/report to/for these other mailstreams in that scenario, or to protect from external entit

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In message , Alessandro Vesely writes >BTW, is dkim2=fail different from "failing DKIM2 signatures from a 100% DKIM2 >mail chain"? I mean, do verifiers always check all the signatures along the >chain or can sometimes check just the last one? In

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In message , Murray S. Kucherawy writes >On Mon, Mar 24, 2025 at 12:24
PM Richard Clayton >wrote: > >> you cannot determine "legitimate" in a protocol ... what DKIM2 does is >> allow you, having determined that badness has occurred, to be sure which

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In message , Murray S. Kucherawy writes >What I'm less clear on is how one identifies a legitimate mutation or a >legitimate list, versus a participating attacker claiming to be one of >those things. you cannot determine "legitimate" in a protocol .

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

Participating here: On Mon, Mar 24, 2025 at 12:24 PM Richard Clayton wrote: > >What I'm less clear on is how one identifies a legitimate mutation or a > >legitimate list, versus a participating attacker claiming to be one of > >those things. > > you cannot determine "legitimate" in a protocol ..

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

Apologies for being late to this thread and possibly rehashing things. I definitely think DMARC and DKIM2 should co-exist and complement each other, as DMARC provides a policy declaration mechanism while DKIM2 provides an authentication mechanism. On Fri, Mar 21, 2025 at 7:41 AM Todd Herr wrote:

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On Mon, Mar 24, 2025 at 10:53 AM Michael Thomas wrote: > Out of curiosity would, say, a mailing list that breaks the original > signature but signs on the mailing list's behalf count as "signed"? At some > level DKIM is about taking responsibility for a message so something that a > mailing list

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On Fri 21/Mar/2025 19:13:47 +0100 Tobias Herkula wrote: As a receiver, I already reject some portions of traffic if it is unsigned or an existing signature does not verify. I would vote for a clear statement that failing DKIM2 signatures from a 100% DKIM2 mail chain should provoke a reject, as

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On 3/24/25 7:29 AM, Todd Herr wrote: On Mon, Mar 24, 2025 at 10:24 AM Jim Fenton wrote: Joining the conversation a little date due to travel… On 21 Mar 2025, at 21:41, Todd Herr wrote: >    - DKIM2, as currently described, allows and even encourages receivers to >    rej

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

Speaking only as a participant: On Mon, Mar 24, 2025 at 8:29 AM Al Iverson wrote: > On Mon, Mar 24, 2025 at 10:06 AM Murray S. Kucherawy > wrote: > >> On Mon, Mar 24, 2025 at 7:30 AM Todd Herr > 40someguyinva@dmarc.ietf.org> wrote: >> >>> I posit that a world with unsigned messages being re

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

> On 24 Mar 2025, at 14:26, Todd Herr > wrote: > > On Sun, Mar 23, 2025 at 2:24 PM Al Iverson > > wrote: >> On Fri, Mar 21, 2025 at 9:41 AM Todd Herr >> > > wrote: >> >> > Here is what I currently understand to b

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On Mon, Mar 24, 2025 at 10:06 AM Murray S. Kucherawy wrote: > On Mon, Mar 24, 2025 at 7:30 AM Todd Herr 40someguyinva@dmarc.ietf.org> wrote: > >> I posit that a world with unsigned messages being rejected is indeed >> possible. Major mailbox providers have been saber rattling about "No auth,

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On Mon, Mar 24, 2025 at 7:30 AM Todd Herr wrote: > I posit that a world with unsigned messages being rejected is indeed > possible. Major mailbox providers have been saber rattling about "No auth, > no entry" for quite some time, and the current Yahoo/Google requirements > that at least some send

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On Mon, Mar 24, 2025 at 10:24 AM Jim Fenton wrote: > Joining the conversation a little date due to travel… > > On 21 Mar 2025, at 21:41, Todd Herr wrote: > > >- DKIM2, as currently described, allows and even encourages receivers > to > >reject messages that fail DKIM2 validation > > I got

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

Thanks for taking the time to reply and explain, Todd! I appreciate it. >> > Moreover it removes the need for any kind of reporting, as a Domain Owner >> > will know from the rejections which messages that it authorized failed to >> > authenticate and presumably why, and the Domain Owner will ne

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On Sun, Mar 23, 2025 at 2:24 PM Al Iverson wrote: > On Fri, Mar 21, 2025 at 9:41 AM Todd Herr > wrote: > > > Here is what I currently understand to be true: > > > > DMARC provides the ability for a Domain Owner to request handling for > messages that fail email validation (SPF and DKIM) and to r

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

Joining the conversation a little date due to travel… On 21 Mar 2025, at 21:41, Todd Herr wrote: >- DKIM2, as currently described, allows and even encourages receivers to >reject messages that fail DKIM2 validation I got that sense from the discussion and from something in the motivation

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

Speaking as a participant: On Fri, Mar 21, 2025 at 10:44 AM Michael Thomas wrote: > I think we can dispense with the notion some supposed DKIM2 displaces DKIM > completely. That is never going to happen. > > It also presupposes that DKIM2 is new protocol and not an update to DKIM. > That hasn't

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On 3/23/25 5:02 PM, Murray S. Kucherawy wrote: No call for adoption (CFA) has been issued.  I marked these as "Candidate for WG Adoption" as a first step in that direction, sort-of to "claim" them as belonging to this WG and to indicate that a CFA is imminent.  I did this because that was th

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

Just to be clear here: On Fri, Mar 21, 2025 at 9:06 AM Todd Herr wrote: > On Fri, Mar 21, 2025 at 11:52 AM Michael Thomas wrote: > >> I am asking a question about what I believe to currently be one possible >> outcome of this group's work, based both on the content of the documents >> that ente

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On Fri, Mar 21, 2025 at 9:41 AM Todd Herr wrote: > Here is what I currently understand to be true: > > DMARC provides the ability for a Domain Owner to request handling for > messages that fail email validation (SPF and DKIM) and to receive reports > about use of its domain > DKIM2, as currentl

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On Fri 21/Mar/2025 15:41:27 +0100 Todd Herr wrote: I am of the belief that if and when DKIM2 reaches a state of widespread adoption, there is no longer a need for Domain Owners signing with DKIM2 to participate in DMARC, a belief I expressed during the IETF 122 meeting. I wasn't at the meetin

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On 3/21/25 8:07 AM, Todd Herr wrote: On Fri, Mar 21, 2025 at 10:55 AM Michael Thomas wrote: This seems to presume that "dkim2" is some creature completely apart from DKIM. That is not at all clear, and it's not clear what is being proposed is anything more than plain old DKIM with

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On 3/21/25 11:19 AM, Tobias Herkula wrote: Best reason to run DKIM2 as a new protocol beside DKIM is that it will be testing HELL to suddenly change the Header with new Tags/Fields/Values, DKIM with elliptic curves instead of rsa signatures is a good example why "upgrading" fails hard for adop

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

As a receiver, I already reject some portions of traffic if it is unsigned or an existing signature does not verify. I would vote for a clear statement that failing DKIM2 signatures from a 100% DKIM2 mail chain should provoke a reject, as nice as "local policy" sounds, I don't like the burden of

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

To: ietf-dkim@ietf.org Subject: [Ietf-dkim] Re: ELI5: DKIM2 and DMARC On 3/21/25 9:35 AM, Mark Alley wrote: On 3/21/2025 10:12 AM, Todd Herr wrote: On Fri, Mar 21, 2025 at 11:05 AM Mark Alley mailto:40tekmarc@dmarc.ietf.org>> wrote: If Joe Schmoe, an email administrator, signs corpor

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On 3/21/25 9:35 AM, Mark Alley wrote: On 3/21/2025 10:12 AM, Todd Herr wrote: On Fri, Mar 21, 2025 at 11:05 AM Mark Alley wrote: If Joe Schmoe, an email administrator, signs corporate mail with DKIM2 but have other mail streams that may not support it, or legacy systems incapable

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

My personal take: DKIM2 is an authentication mechanism. I think it would be difficult to justify an authentication protocol dictating how systems should handle messages that do not pass authentication checks. Local policy may indeed evolve to state that DKIM2 unauthenticated == reject at some poin

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

If a message appears at my doorstep with: 5321.From: t...@herr.net 5322.From: toddh...@isp.net DKIM2 d=: intermediary.net And the DKIM2 fails, then what should I do? Reject it back to the (malicious?) sending host, who has no relationship to any of

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On 3/21/2025 10:12 AM, Todd Herr wrote: On Fri, Mar 21, 2025 at 11:05 AM Mark Alley wrote: If Joe Schmoe, an email administrator, signs corporate mail with DKIM2 but have other mail streams that may not support it, or legacy systems incapable of using it, would not DMARC still be

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On 3/21/25 9:06 AM, Todd Herr wrote: Assuming that what was "called for adoption" was the "motivation" draft, I think it's *way* premature to presume much if anything about solution space, and especially anything about its relationship with DMARC. The charter, otoh, is pretty c

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

Michael Thomas wrote in <22fbf28b-28d5-4c43-8e6a-50850be8f...@mtcc.com>: |On 3/21/25 8:30 AM, Todd Herr wrote: ... It takes at least a decade until this thing, DMARC, that never caused anything but trouble, is iterated out. At least. And each and every second of that is to regret. I mean, i p

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On Fri, Mar 21, 2025 at 11:52 AM Michael Thomas wrote: > I am asking a question about what I believe to currently be one possible > outcome of this group's work, based both on the content of the documents > that entered "call for adoption" state in the last 12 hours and the meeting > itself from

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On Fri, Mar 21, 2025 at 11:17 AM Michael Thomas wrote: > I really don't know why we should presume it's something completely > different wrt DMARC. Why would it be? I'm not really sure what the point is > of bringing it up at this point in any case. Why do we need an answer for > this now? > > >

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On Fri, Mar 21, 2025 at 11:05 AM Mark Alley wrote: > If Joe Schmoe, an email administrator, signs corporate mail with DKIM2 but > have other mail streams that may not support it, or legacy systems > incapable of using it, would not DMARC still be needed to apply/report > to/for these other mailst

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On Fri, Mar 21, 2025 at 10:55 AM Michael Thomas wrote: > This seems to presume that "dkim2" is some creature completely apart from > DKIM. That is not at all clear, and it's not clear what is being proposed > is anything more than plain old DKIM with a few new tags and some normative > text surro