[dmarc-discuss] policy overrides and 'what-if'

[Scott Kitterman]

On Wednesday, April 04, 2012 05:36:10 PM Douglas Otis wrote:
> On 4/4/12 4:39 PM, Murray S. Kucherawy wrote:
> >> -----Original Message-----
> >> From: dmarc-discuss-bounces at blackops.org
> >> [mailto:dmarc-discuss-bounces at blackops.org] On Behalf Of Franck
> >> Martin Sent: Wednesday, April 04, 2012 4:33 PM
> >> To: Douglas Otis; dmarc-discuss at dmarc.org
> >> Subject: Re: [dmarc-discuss] policy overrides and 'what-if'
> >> 
> >> My understanding, is usually DKIM and SPF checks are done anyway
> >> before
> >> DMARC is evaluated...
> > 
> > That's typically the case.  Moreover, DKIM is the more expensive check,
> > so it would probably be more common to short-circuit DKIM once SPF
> > passes, but one could theoretically do it either way.
> Dear Murray,
> 
>  From a security standpoint, it would be safer to trust DKIM content
> authentication in conjunction with DMARC header field validation and
> only use SPF authorization as fallback.  Any entity gaining access to an
> SPF authorized outbound server could spoof DKIM signatures per this
> advice, since DKIM failures would be ignored.  The cryptographic
> overhead for DKIM is more deterministic and improving with CPU
> advancement.  Depending upon the number of DNS transactions required,
> SPF might prolong consumption of likely limited network connectivity.
> Of course, this would depend upon the nature of senders, where currently
> this mostly represents various malefactors.  Once DMARC becomes popular,
> it should be assumed malefactors will predominate there as well.  It
> seems secure strategies should closely monitor and assess DKIM failure
> rates with included warnings, and never use SPF as a reason for skipping
> much stronger protections.

Nonsense.

If a malicious entity has access to an SPF authorized server to spoof outgoing 
mail, they can do the same with DKIM.  Both SPF and DKIM Pass mean that the 
messages passed through an authorized server at some point.

Scott K