IETF Logo Mail Archive

Re: [Cfbl] Double DKIM signing

Ken O'Driscoll <ken@wemonitoremail.com> Tue, 05 July 2022 11:37 UTC

Return-Path: <ken@wemonitoremail.com>
X-Original-To: cfbl@ietfa.amsl.com
Delivered-To: cfbl@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBCA5C15A72E for <cfbl@ietfa.amsl.com>; Tue, 5 Jul 2022 04:37:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wemonitoremail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ph122zHVkjd4 for <cfbl@ietfa.amsl.com>; Tue, 5 Jul 2022 04:37:20 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2129.outbound.protection.outlook.com [40.107.20.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EEFAC159498 for <cfbl@ietf.org>; Tue, 5 Jul 2022 04:37:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Zs9AGOzzGRn6U9QgYuzZ7lgx8Bl0Tr3x2mPoLx/pa0lCnR0Uf9sYd+yqe9i/CVJKawibFF13L4d1/PtIt7oFcmIZJLjn1y1KvDHvfu5sh5PGSjzSPvX+tfMBkEg9I7MP6CVYvc0/WmlIE8gePcJYFiMQut7vGWMgViIO9FOjxHUk1iRv/wAvHnzHAImFqCll/yqdUMC9Li5+IzvFSn0kup2PexCC/yiMo0wgkb1XSNK54RQh6ynVmOwY+HDfZBrgqQTKMchCaD52JXkhtpZS82rB4wJKZ0XeYVsrLtkF1n7fz6mIgdD9y26yG7LzAGXgHFdP7HyJQ6Q/CMUtv0Edqg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5ZsoMr9bixEMaHDKM1q6846MvgsA8+LvahH95UeD25w=; b=VgEuK/psME7Hm5NamaKVrz1pHJ/1bkXGX2ckuiEKnWYkzBvyMEdevzHA4grygxeGAUvwI2p/nP4GVGFuzPmuBqzgfTVZfxUJCKZxvujFEi+kW6qm5d7+vVR1duAv8Ng8mf1xBiBn5kKoTKDghk/wkPdXO5L+9foDF5HgMZnPN1h5kTwVqKTcsfaLT04c5lD2hMUdZNUkGfCC451BxFHm6Xx4aKdPNrKDNeeusTVTCjoY+685K3JlYYRo/jWpN6MuvP9mkX0U+NwQd+gtaHOQGySwHxfwRJ3QTrompu9kacGxUSXQlu/L2GaddDqZVZ/Ssb/gVc5q10hlPbcOAq8ihQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=wemonitoremail.com; dmarc=pass action=none header.from=wemonitoremail.com; dkim=pass header.d=wemonitoremail.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wemonitoremail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5ZsoMr9bixEMaHDKM1q6846MvgsA8+LvahH95UeD25w=; b=FZ9iAVzv6mua8npjDrmonFBmRjIxaTh8Oq5T0rcZF2vieZJShiveSofMvld8lrTcSIkihyncoX5nLygPdfA5kIv6eCQAQbXCeJIZOjx3FdnT7Sq7DdeiKhBwFgaRgYaemK9yDbH1G7V/JgfoHLi6lsak/nSJYGOS7QTpFOSb2FoLzndFnCQXzAtWnCAEwlcnedUaAVapOaN1ryQCq5Vp5wjnUyq/3JraprWcVwkS5QdKvlfzbLsUdywuYn6oWulT5GUHGubxBGzzfersCpeMJPtio1QBO9qCEAwrFirTIK5qBUj91VzlyVKCGWzzz1Rx5Dy+K8/3sJhUcTqoyKp2eg==
Received: from VI1PR01MB7053.eurprd01.prod.exchangelabs.com (2603:10a6:800:19a::9) by DB8PR01MB6518.eurprd01.prod.exchangelabs.com (2603:10a6:10:15c::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5395.15; Tue, 5 Jul 2022 11:37:16 +0000
Received: from VI1PR01MB7053.eurprd01.prod.exchangelabs.com ([fe80::201a:d673:a80a:4682]) by VI1PR01MB7053.eurprd01.prod.exchangelabs.com ([fe80::201a:d673:a80a:4682%2]) with mapi id 15.20.5395.021; Tue, 5 Jul 2022 11:37:16 +0000
From: Ken O'Driscoll <ken@wemonitoremail.com>
To: Jan-Philipp Benecke <jpb=40cleverreach.com@dmarc.ietf.org>
CC: "cfbl@ietf.org" <cfbl@ietf.org>
Thread-Topic: [Cfbl] Double DKIM signing
Thread-Index: AdiGLIRO25iXmkXaRDaAn4tdp6hzaQEmoEEAAWbxfsA=
Date: Tue, 05 Jul 2022 11:37:16 +0000
Message-ID: <VI1PR01MB7053084A906F05AAF9BB059BC7819@VI1PR01MB7053.eurprd01.prod.exchangelabs.com>
References: <VI1PR01MB70538205B38B6E1C9C665F35C7B29@VI1PR01MB7053.eurprd01.prod.exchangelabs.com> <a2056e56-79ce-273d-2bfe-4a6877afbbb0@cleverreach.com>
In-Reply-To: <a2056e56-79ce-273d-2bfe-4a6877afbbb0@cleverreach.com>
Accept-Language: en-IE, en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=wemonitoremail.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d979fb89-065d-4acc-8c3c-08da5e7ab639
x-ms-traffictypediagnostic: DB8PR01MB6518:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: pDOjPgqeC02O2StgBYIMUgJro3lf5j4ESil96jjnFrRS9mKRCknRoT4jxHKyhy6J85HslKlnCyb+ZeHT/FnBfrA9DGrr7gLJ9u5ODID2n+73c1n6ssU47dMf10yzzLjdwD+vDP0aFm9J36xHTMS5SlDbWpE5xlOwlwZhyICiKKomVepH5fmhYqKYNqorcoDBeRKZSK/ifDzDOuHrEZ7pa5hJscEivjJ6SMAgBJocbOziv+jP5BwjwR7szEjAMoB9bdPQx/qo06eY4ZnWG0EoTcRc7DxmPuCxa+GZqJ/ThRP/90phfnAzpumRzMqacg1XMki7T5/ed2z7qTPjgPwcbEVutQL+7H5PwTwUhcVFVlVJ6qAyr6NUKmcDoM13FxVw/M+B6Zk8XkRwLS5SJA9Zt1fXcbdfUoMq7mAyVYANZlPgbm6cTLi2FeZTdvSm4lrNZ1W0j11zLrCz7B5CXTplwPwJi0WgM+f65ryuRQnQiozasVOECMbv9SzL73CVyE+00VJQs52CjpUv4cXige+COL0Hx0xU5G9nfFA+gTu2vUw6RqWJGaweVsunx/KXxx0mksuOJ5u1XspHdPXZUgLcRjH9F8zKBwo/hnx6h7UsyTaLARCb4gQ4TC6E+9GGY8BxYw98arX5Z43He+uwbixI13Y1YmaYZTtxVJDlMmiDYv6lf/jt+74UolKAu+fc2tBFbqkL0pP5O/nK4RZLcqH3yP7ydXTYdxVvhUHOSa9HdKm5qmM/UMQlEQ7m3E4A+V+qwu0EZHakZXfRoxQCReLQLXV3ZLMdU3xi6ntdThA1TMfVsmlyMUhi+4eqhMc1Lh2M
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR01MB7053.eurprd01.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(13230016)(396003)(366004)(346002)(376002)(39830400003)(136003)(316002)(83380400001)(26005)(9686003)(33656002)(186003)(6506007)(86362001)(55016003)(2906002)(5660300002)(7696005)(66556008)(66476007)(66446008)(64756008)(38100700002)(66946007)(8676002)(4326008)(76116006)(478600001)(41300700001)(71200400001)(122000001)(38070700005)(53546011)(52536014)(8936002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 9tG3LMGMHpUJLqiqYhSVA+sDrZsO4ro6yEEjhiYwUhzbXKTG7GRCZ1d49LxC/wfXpMeXm+xJ1QV2d7AnJhzauagEpOdQa7VH37l9KjC/cNNiQLNtEUqQ4nplpmm+/Mvucx8KykPGsAq4V3C7UUGU0OqMtlHEgx3ZHMuXZi4wvhqurLWemKHcEKYW2IoPKbf9YgZDvAGHikt3ManFQt/L8XNY9a6bCOulIGqdfthK/bviqDmIKSAqgasWTnHUXFAwDDl0PvNFAj0+muPF3z91fOeu/wy+DJsdD+ndYRx1yPBe1QQKkNFL4th30mJ8Nyy/QXI2ouhD+n8ra9PZsgtrAhDQqm1DFUxNzalX1V0dV3T3hxLzSGyoZ/BhGCgh5dMUlVajHWwV3FUN+zMg1YjPKIPqC5NvnOhwME2ohLs7FJsCDPzc5/BM8tTDbwFJU3VAZD6MYHTUEf59mjtw0q4eL8zvKPXR1YmjY/n7ZRsawk7yNTZNJwqra88zKHqNWKxOD9KTAEQ2RiQPUv3/va3A5b6fYL5x62Z9gKHsjZ6kcELkhBndCxQoujNigXwqyTISV3XtmY2DSn4Gdkh7XBJMyK8RExxjuI65KqfB4qywDgxaDtOLf/oVi0y5Wh402kruvW1Yi8PZyHMYUb4HmnESXLq4k0bO405IcrOZoKfGWZbMPRyseycO7D0F0CjdWc2FVGxuod4a/kDMKYolTi5PVJRxPtooAb3yNF7FGsTBMxSqonNyUwqys6jFqTQ4ocGJ2UBlVTDr7t1UiSNapOoP9AwsO+bUDb75ZqoNWHlNz4Pkh8ohpSwt1+hb8lrigkWUo7bOq8Ffi0GBWwYmxsgwD0nHhPaj6d7chTWbKWFQDPn6Y7c8FlwhMTLjKNM3F9NSxxnYakY8Nax69moTJ2pEVPnXLZ5PPYGXsBZZaA1bh48zoJ/sVwAouQRjSN9K5W3e+r7Wr0C6tJ2QE6hoEl0UT/bWr9sgHk7S2NrO50VgpUwYDNcOqgyHDf69j2qhZiTsLLlGmqZZR2pul8lmEVTrX2DhkxY9zBOu4DfVwGjmzyFgd3s9JH9LriiEZ4vlK9Rpo7PXqHnYUY6Id9fApfJP9eeFD0XRQHWCRf4x6gvX7FKSvnnz53YIpCUJWEUEFcd3Pk8WtMtRWkXyrlkFcMGN4khgM88qh3Cd3+7Vm7NlbbLiUiizPu8Er4hGOvuGgMGc2hO+KS0kIXq91NfkN+/N6lBp1BcGIWyDir/Au8XLWrVJvqK39g7qpSx1DPaa3w0xuJwPYBf9FlxmZcOpw2yWyeBAXrhLliINR+l9HDUVb+EsMHcNYfF+K4pbdN8SEVI8GfDg2b7rTis23R3Bdgys9S+7wZPTKhRHBVKG9yBaeiGE+jmbl7nyok2jlxxz3EDtqaarhWsG4Di2GbuhMIOcKIZii0EnAdee5df5rGfOz4+7N8iFTr92YYWi2oEX9vizq+vmQSUU088LgzN0sbauU/0cZzmvAm/RRoNsOCCfopingfWfF69vH1GzKF6nyIer5TFs13BteHQfjdFtlUMFMiyRAzKRKF72mb5xOrhN8BdUFlSQ14l3Z5KfHIu/JxHL
Content-Type: multipart/alternative; boundary="_000_VI1PR01MB7053084A906F05AAF9BB059BC7819VI1PR01MB7053eurp_"
MIME-Version: 1.0
X-OriginatorOrg: wemonitoremail.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: VI1PR01MB7053.eurprd01.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d979fb89-065d-4acc-8c3c-08da5e7ab639
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jul 2022 11:37:16.2279 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a2b1d6fe-fc8b-4b7c-b9f1-d7b1ab3d23b3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: s3BuImsff94fUNq5C83VywQGvNgPo4tab/UYvDJpG8zqXhXCMvUI9SsiRES95zc7ik+fpkWEeulmajCFNvC94A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR01MB6518
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfbl/m13JGbkKG37xuxUAn2goypFZ09w>
Subject: Re: [Cfbl] Double DKIM signing
X-BeenThere: cfbl@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussions mailing list about Complaint Feedback Loop Address Header <cfbl.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cfbl>, <mailto:cfbl-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfbl/>
List-Post: <mailto:cfbl@ietf.org>
List-Help: <mailto:cfbl-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cfbl>, <mailto:cfbl-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jul 2022 11:37:24 -0000

Yes, that addresses the issue.

The problem with allowing senders any control over their mail service providers' ability to receive FBL reports, is bad senders. A bad sender will break their DNS so that DKIM fails if they think that that would reduce the number of complaints received in connection with their content.

Ken.

From: Cfbl <cfbl-bounces@ietf.org> On Behalf Of Jan-Philipp Benecke
Sent: Tuesday 28 June 2022 09:14
To: Ken O'Driscoll <ken=40wemonitoremail.com@dmarc.ietf.org>
Cc: cfbl@ietf.org
Subject: Re: [Cfbl] Double DKIM signing

Ken O'Driscoll schrieb am 22.06.22 um 14:30:


First, I'd like to thank Jan-Philipp for all of the hard work they put in getting the first draft.

One thing that jumps out at me is the requirement for double DKIM signing (section 3.1.3). If I read this correctly, the draft requires that if the CFBL-Address domain is different to that of the 5322.From domain, then the message must also be DKIM signed using the 5322.From domain in order for the CFBL header to be considered valid. The draft claims that this is to ensure that the 5322.From domain owner consents to the CFBL-Address domain receiving reports.

Why is this desirable? In the most common use case for FBLs, that of a mail service provider adding the CFBL header with their own report address and sending messages on behalf of a sender's domain, the sender should not be able to decide what receivers can send complaints based on their messages. Surely that defeats the purpose of an FBL.

Further, the requirement for the 5322.From domain's signature to sign the CFBL headers makes optimistic assumptions about how much control senders may have over the first-hop MTAs which they use.

While there are other arguments for DKIM signing messages with the 5322.From domain, it shouldn't be a requirement for FBL reports to be generated.

Ken.
Thank you for your kind words and your feedback. I'm so sorry for the late reply.

The original intent was to have both parties agree to receive FBL messages via a third party address to prevent some sort of MITM attack.
For example, a malicious party changes the CFBL-Address to their domain and signs it while transfer.
However, this is also possible with any other header that is not signed with DKIM.

The following example considered valid then:

Return-Path: <sender@super-saas-mailer.com><mailto:sender@super-saas-mailer.com>
From: Awesome Newsletter <newsletter@example.com><mailto:newsletter@example.com>
To: receiver@example.org<mailto:receiver@example.org>
Subject: Super awesome deals for you
CFBL-Address: fbl@super-saas-mailer.com<mailto:fbl@super-saas-mailer.com>; report=arf
Message-ID: <a37e51bf-3050-2aab-1234-543a0828d14a@example.com><mailto:a37e51bf-3050-2aab-1234-543a0828d14a@example.com>
Content-Type: text/plain; charset=utf-8
DKIM-Signature: v=1; a=rsa-sha256; d=super-saas-mailer.com; s=system;
       h=Subject:From:To:Message-ID:CFBL-Feedback-ID:CFBL-Address;

This way a mail service provider has the possibility to accept pre-signed mails from their senders and inject its own FBL report address.

I think this makes much more sense, what do you think? If so, I would change this with the next revision.

Again, thank you for bringing this up.

- JP

v2.23.0 | Report a Bug | By Email