[dmarc-discuss] policy overrides and 'what-if'
Douglas Otis
dotis at mail-abuse.org
Wed Apr 4 17:36:10 PDT 2012
On 4/4/12 4:39 PM, Murray S. Kucherawy wrote:
>> -----Original Message-----
>> From: dmarc-discuss-bounces at blackops.org [mailto:dmarc-discuss-bounces at blackops.org] On Behalf Of Franck Martin
>> Sent: Wednesday, April 04, 2012 4:33 PM
>> To: Douglas Otis; dmarc-discuss at dmarc.org
>> Subject: Re: [dmarc-discuss] policy overrides and 'what-if'
>>
>> My understanding, is usually DKIM and SPF checks are done anyway before
>> DMARC is evaluated...
> That's typically the case. Moreover, DKIM is the more expensive check, so it would probably be more common to short-circuit DKIM once SPF passes, but one could theoretically do it either way.
Dear Murray,
From a security standpoint, it would be safer to trust DKIM content
authentication in conjunction with DMARC header field validation and
only use SPF authorization as fallback. Any entity gaining access to an
SPF authorized outbound server could spoof DKIM signatures per this
advice, since DKIM failures would be ignored. The cryptographic
overhead for DKIM is more deterministic and improving with CPU
advancement. Depending upon the number of DNS transactions required,
SPF might prolong consumption of likely limited network connectivity.
Of course, this would depend upon the nature of senders, where currently
this mostly represents various malefactors. Once DMARC becomes popular,
it should be assumed malefactors will predominate there as well. It
seems secure strategies should closely monitor and assess DKIM failure
rates with included warnings, and never use SPF as a reason for skipping
much stronger protections.
Regards,
Douglas Otis
More information about the dmarc-discuss
mailing list