[dmarc-discuss] Co-ordinating recipient policy?

[David Woodhouse]

On Tue, 2012-01-31 at 16:13 +0000, Michael Adkins wrote:
>  If I understand your concern, you believe that DAMRC's use of SPF
> will lead to unacceptable false positives.  

Well, it'll lead to a catch 22 situation where the admin is forced to
implement a policy which will have *either* false positives, or false
negatives, that he wouldn't have had with ADSP alone.

> The problems caused by forwarding is one of the big reasons why we wrote
> DMARC to require that only one of the underlying mechanisms pass.  In this
> case, we expect that DKIM will survive forwarding intact and provide that
> single 'pass' result that DMARC requires.

Perhaps I'm being dim, but I don't see how that helps. Take the examples
I gave. Fred the sysadmin *knows* his servers receive forwarded mail,
and that honouring a "traditional" SPF record ending in -all would
result in losing genuine mail.

Fred receives a message from a domain which publishes a DMARC record,
and which also has an SPF record. The message is *not* DKIM-signed, and
fails SPF.

Can he safely (according *his* policy) reject that message?

He doesn't know.

If the sender domain *always* DKIM-signed their messages, and published
an ADSP record that tells Fred that, he'd be able to reject the message.
But DMARC is intended to obsolete ADSP, isn't it?

If the sender domain published a DMARC record and *didn't* publish an
SPF record, that would be OK too; he'd be able to reject the message
because he'd be able to infer that the sender *is* supposed to DKIM-sign
all outbound mail.

But what if the sender domain *does* have an SPF record¹? Now Fred is
screwed. He can't know whether the lack of a DKIM signature means that
the mail is invalid. Perhaps the sending domain doesn't DKIM-sign at
all, and its DMARC record relies *only* on SPF?

So either he rejects the message, and runs the risk of false negatives
because the domain didn't really DKIM-sign *all* mail. Or he accepts it
because he can't trust SPF, and thus accepts false positives because the
domain *does* DKIM-sign all their mail, and anything lacking a DKIM
signature *was* a forgery.

One answer to this, of course, is to advise that domains which do
DKIM-sign all their mail and publish a DMARC record SHOULD NOT also
publish an SPF record. But I think it's quite naïve to expect people to
follow that advice.

-- 
dwmw2

¹ that actually cares about IP addresses.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5818 bytes
Desc: not available
URL: <http://medusa.blackops.org/pipermail/dmarc-discuss/attachments/20120131/b71f94e0/attachment.bin>