Session Date/Time: 28 Jul 2023 19:00

dmarc

Summary

The dmarc working group session at IETF 117 focused on two main topics: refining the guidance around the p=reject policy and re-evaluating the role of SPF in DMARC. The session also addressed the overall progress of the working group, experiments with ARC and PSD, and concerns raised by the Area Director regarding the working group's timeline and deliverables. A significant portion of the meeting was dedicated to a discussion about the implications and appropriate use of the p=reject policy, including considerations for interoperability and the impact on mailing lists. The role of SPF in relation to DKIM and the potential for its deprecation within DMARC were also explored.

Key Discussion Points

AD Concerns: The Area Director (Murray) expressed concerns about the working group's longevity, lack of progress, and the need to finalize the main deliverable. He emphasized the need to justify the value proposition of DMARC and address the mailing list problem.
ARC and PSD Experiments: The status and results of the ARC and PSD experiments were questioned. Specifically, whether these experiments have produced actionable insights that advance the DMARC cause.
p=reject Guidance: Discussion centered on how to best advise senders and recipients regarding the p=reject policy, including the potential for interoperability issues, particularly with mailing lists and forwarding scenarios. Several participants suggested different approaches, including stronger language discouraging the use of p=reject and framing the policy as a declaration of authentication practice rather than an instruction to receivers.
SPF Deprecation Proposal: Tero Kivinen proposed deprecating SPF in DMARC, arguing that DKIM is sufficient and SPF introduces unnecessary complexity and potential issues. This proposal led to a debate about the importance of SPF as a backstop when DKIM is not properly implemented and the possibility of adding an "auth" tag to DMARC records indicating which authentication methods the sender supports.
DMARC Scope: Participants reiterated that DMARC primarily addresses direct domain abuse and is not a comprehensive solution to all spam and phishing attacks.
Information vs Standard Track: A question was raised about whether the deliverable should be informational rather than standards track.

Decisions and Action Items

Action Item: Barry Liebo will post a summary of the meeting to the mailing list.
Action Item: Discuss text on list to clarify what DMARC intends to do.
Action Item: Revisit normative text location in the draft.
Action Item: Scott to write short result report on PST.
Action Item: Murray to provide his presentation slides.
Action Item: Explore best approach for documenting disposition of ARC.

Next Steps

Continue discussion on the mailing list regarding the p=reject policy, particularly the wording of the normative text and the interoperability considerations section.
Discuss the proposed SPF changes on the mailing list, focusing on whether there is consensus to modify the status quo.
Barry aims to have these two issues closed by the end of August, to wrap up the document.
Determine the next steps regarding the ARC and PSD experiments and their potential inclusion in the updated DMARC specification.