Skip to main content

Last Call Review of draft-ietf-dmarc-dmarcbis-36
review-ietf-dmarc-dmarcbis-36-secdir-lc-farrell-2024-11-27-00

Request Review of draft-ietf-dmarc-dmarcbis
Requested revision No specific revision (document currently at 38)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2024-12-04
Requested 2024-11-20
Authors Todd Herr , John R. Levine
I-D last updated 2024-11-27
Completed reviews Genart Last Call review of -36 by Ines Robles (diff)
Artart Last Call review of -36 by Scott Hollenbeck (diff)
Secdir Last Call review of -36 by Stephen Farrell (diff)
Dnsdir Last Call review of -36 by R. (Miek) Gieben (diff)
Dnsdir Telechat review of -38 by R. (Miek) Gieben
Assignment Reviewer Stephen Farrell
State Completed
Request Last Call review on draft-ietf-dmarc-dmarcbis by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/Lo6VFAPPtxvjQs7_REWqlbtW4YY
Reviewed revision 36 (document currently at 38)
Result Has issues
Completed 2024-11-27
review-ietf-dmarc-dmarcbis-36-secdir-lc-farrell-2024-11-27-00
I'm not on the dmarc wg list, but have followed this work from a
distance. (IOW, feel free to correct me if I'm just wrong:-)

I think I see two issues with this draft:

(1) Recent papers e.g. [1,2] argue that the centralisation of
mail means that SPF is by now less useful than originally.  Given
it's been 9 years since RFC7489, one would assume it'll be a
while before this document gets an update, and it seems possibly
unwise to still consider SPF as "good enough" for that time
period.  Shouldn't this draft at least indicate that SPF alone
(without DKIM) is unlikely to remain sufficient for a DMARC pass?

   [1] https://wangchuhan.cn/publication/ndss24-a/ndss24summer_paper_wang.pdf
   [2] https://arxiv.org/pdf/2302.07287

(2) The tree-walk calls for querying TLDs for TXT RRs. Was that
discussed with DNS operators for TLDs? It seems like moving from
the PSL to a tree-walk puts work on non-email DNS operators.
Would it be useful to offer some guidance to TLD DNS operators
as to e.g. publishing a long-TTL TXT RR that'd reduce the amount
of work they get, or is that considered (by them) as trivial?

Otherwise the draft seems good, if very very wordy.