IETF Logo Mail Archive

[Cfbl] Double DKIM signing

Ken O'Driscoll <ken@wemonitoremail.com> Wed, 22 June 2022 12:30 UTC

Return-Path: <ken@wemonitoremail.com>
X-Original-To: cfbl@ietfa.amsl.com
Delivered-To: cfbl@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A31DAC159496 for <cfbl@ietfa.amsl.com>; Wed, 22 Jun 2022 05:30:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.11
X-Spam-Level:
X-Spam-Status: No, score=-7.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wemonitoremail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cxkM8ntMlYYz for <cfbl@ietfa.amsl.com>; Wed, 22 Jun 2022 05:30:08 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70112.outbound.protection.outlook.com [40.107.7.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8092EC14F74D for <cfbl@ietf.org>; Wed, 22 Jun 2022 05:30:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=A9vukMnSBGeme/OZTfhqPFSYln5KP7k+NSJeCPK5x5Mrk4XNH9NmdDwSrytfTiMeLRvB/1IDRC8/jdDjZwiSZh1XE5mugkEbfstXJ9i5tVpAkM/4nDvCeNW8datec22kBdWEfZlO2T5aEfmuQ6K01zsiHPflkaGyT+F+9qiVz4WmhweZ2/dfb85Okq9Xh26WdfoFhthjaJU/syiIocmwsypOCXIyaI/dHd5dSFw8UuUjjTBboq1McnBYb9lWydxPCwBBbd09h8YJtHybOXVYPh3xE7RNM9anl9Ua3Ru4ptfr4lbFRPDq1FNJCjnsY6VvMF+B9ksN4Fc6zA+9gE8sWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=xQsaw/vA9XhPqTvB4a3BGCs4ycH33SM49RvtSTdUWU8=; b=Ubk6wmRYjhVgDuyss2PRV7o1c9tj0QneElmhdW/PBVlFMvRIiTLFw2kqoYwu/zBW80I6E/l7BlWebnwJDgxoGFF9pb4lp/FeF+jYTVnbD01nnjZ6USp9bdMBmBpxp+lveyNEQSrhAhbVjEqYTtgzoWRHwXEDrEDl/2xnepHqjJ4ZlNuMoKZgRVk7muQYG9aEmryxOoiga4n+ioHyvKUOd5VTTOYY7nKsQZMNrfGpSEVR1hLCPYOvCh85z2BEbg4OpPBd9YLtUYXTZA+OY/gxM+3ywBzCRSDQzjmUqnXJIVi1tvY0g7AxRB/5FUSUd+jDIjsx+1pLd4Zvos4XoEZvBw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=wemonitoremail.com; dmarc=pass action=none header.from=wemonitoremail.com; dkim=pass header.d=wemonitoremail.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wemonitoremail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xQsaw/vA9XhPqTvB4a3BGCs4ycH33SM49RvtSTdUWU8=; b=S/yEp4ksxd7kdpuHJcnufzPtwOSXoLobqzfr7ORAJco90349WDhAyUZxdWhqEqx4iOrx4MFiRw6l/avAncpxLpMbOCvWc7ICqEr8+y+PD7IxTMvDHf4637hnkF4Zu8bxVsl/xQhb7bIVlp4oxJQeebHwaP9YasGHS0xLvkPypZnKG0EnRnDBG8BxWgVAmhqfO2c3Qf4PqtornV9+MnNFp3j07ZZNyKz2rDXWsjfpOOpt6Ku8OJmcOa65VQnqb6BljvtGuVP3wexox7MqeQANzwi0ZHoVt9l9E5uBpdoTPoGHSoCTjUd3TbzWD+lJmWYnF8dlqecQckYK70D2Wcc7nQ==
Received: from VI1PR01MB7053.eurprd01.prod.exchangelabs.com (2603:10a6:800:19a::9) by DB7PR01MB4204.eurprd01.prod.exchangelabs.com (2603:10a6:5:32::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5373.15; Wed, 22 Jun 2022 12:30:01 +0000
Received: from VI1PR01MB7053.eurprd01.prod.exchangelabs.com ([fe80::bdfa:f60e:329c:d888]) by VI1PR01MB7053.eurprd01.prod.exchangelabs.com ([fe80::bdfa:f60e:329c:d888%7]) with mapi id 15.20.5353.022; Wed, 22 Jun 2022 12:30:01 +0000
From: Ken O'Driscoll <ken@wemonitoremail.com>
To: "cfbl@ietf.org" <cfbl@ietf.org>
Thread-Topic: Double DKIM signing
Thread-Index: AdiGLIRO25iXmkXaRDaAn4tdp6hzaQ==
Date: Wed, 22 Jun 2022 12:30:01 +0000
Message-ID: <VI1PR01MB70538205B38B6E1C9C665F35C7B29@VI1PR01MB7053.eurprd01.prod.exchangelabs.com>
Accept-Language: en-IE, en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=wemonitoremail.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 43a99d08-9750-4f41-c815-08da544aed6b
x-ms-traffictypediagnostic: DB7PR01MB4204:EE_
x-microsoft-antispam-prvs: <DB7PR01MB4204AF6B18E103BDDE6DC185C7B29@DB7PR01MB4204.eurprd01.prod.exchangelabs.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 1nYv8NW50FQnuOcn/dEF9lnstyPYFIbE6xQ6xUqxBOqB1An5q/Toh/sIxeXPVQ+13YjY++WHcXlaWTtkusgaNGxfSdNufgkLc2v9tHZQSM/0BfdT5iPUCT0eNnOZrBp12KKlLMryns+EzRt2resFpb86NVmV0Q7Hh4n+OYwsU5qxAHPkhBnrVBlr7iHUiHb+YnA56Q6XKf+TKHIXNGysgsXute/2YGKK16nJoPmdW5NfBTG57FIjnpzAS6Cg13QQl7ImBHDiK6pY+eGbnHmqRU1vWktIfLLpRFwplFz+2mTs0e4nmam4UnTNO4VM2GTu2mI2bu3fI/Qj/4pHN2KElMYS98XL3H504lo1OAvlAczlMo9hLi8uQoz7PR9rSZVhswzIh7c0KgQngu8afj2DMQimVJMieZQlvfJ7lV/J3++Nt/l7ZgZlfIm8mMXNHZMSddmFywX485cmt55iLjDWDQxtZL44B9FfyXWlXe3+4ecCT3VxUfMEPhABJ+l670KC7Mr3sJ3cWgpkQ5iDpXXW8EG5VTHpuAVRlxTey5n7KknM3rC/Q7kVLVZ4sBmTqo8dtUw7eZVaa1FS8lpOi0R9h1jyrn5sLN/i2rBqO9HGhDE3JpeyCg5ropGZxYPTEZChzsiycKo4BzZ0um6wzenHf2+En6OepgzNTZh36VDiWDbl04Q4Ww0AOocTfVt/ys1AtrDslnvEqS7ZMIt8rffBn/T/ODYyYsZB0PfavJ31y0Q2SZbNcK48HooHpLMEk1ZJ
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR01MB7053.eurprd01.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(13230016)(396003)(366004)(346002)(376002)(39830400003)(136003)(186003)(86362001)(66946007)(38100700002)(66446008)(66476007)(64756008)(38070700005)(66556008)(7116003)(76116006)(6916009)(71200400001)(316002)(8676002)(8936002)(52536014)(41300700001)(478600001)(122000001)(6506007)(7696005)(26005)(83380400001)(55016003)(5660300002)(3480700007)(2906002)(33656002)(9686003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: jiD1njEekqMebIJYph5Vjhk7m/l86czycGiCENaXrE7Dc0CgrPiJ/hH2zAK3g5px2eLFCGDf0sERv/Ven/ZQcbENZ9ireG1nam3NqU3wLAy82qe68X1lGL9U8xt6wU8z4H9eAth7S+g9y0QX79pXV2W0bKYgUm4rBgbKoZRXuv+duPtBW/z9Rc12T9yjBpHVmMzLEukxpc00w35/IRwRR6l9v+JT1fiN9pT1DtgJdigrOHulqetjXFCxzM3+lBYwU9WC5bzvrWii64ZfiXBTm51Aoe7VeLuR4FzMsZSOCBv/OEnpOpccE3AyuVxYJ7jfKLk5GtDNMWjH+oHCsz4U1bCFlziPBxGMqL5c23vR45Da3422pbzE6ugRwBiGCajH5zKNdXiYDanCDXBaXkLlZCJHqvrsPvPDVKBM7VhI0YdNxURJzI+8uJm7gGM6zN/vSdBkdi8DmRdF1MljLfyCucf0mbNBpoLU42kVTLLLOzA3oBwdVSsv6szixg8zmDuJzrJFiI3fOKqVdGkdtifnc6i5wusNQxgOKXy1MtyhZnFYyAm3E/4keQmegYx1q+68UfoyaAdMpY3hpeM6anYADaq9J++gEAp7choBccOguFy3s+YHG6ejxJNHPD1x1j7M1PykCproRkba5+7oo7jw/wX663z67LRFC3wnL9pN6XVCjiBx/wdWIFRerWVRfakPuiEuCOAKMuOIOlI0075yr/Y/RclkH3nERLPoGpLiB0zHDkB8PxMESSSWx7TWvVcZRGc0Mlk6Lbx/0gyOrib556PJGH7WkA/iX0aOQSoqnUHduavbk+urPDESSU3JpvsQltv/xR+u5dVugSlDWjmk9kcLplYpaLJ/b9T17LT4cPnZGesfJz8od61RhQ4TqaK46E58J1hc1hYTG/K+K8ldYR4C+4IF4Ptd/upBAqE/j3Uy3PCcKehar68DUCMIG8SrGPkCJEqqWEst1buDE1uKSNFOszWpgtCdNFYO2TwQmLVPjarKOk/6AuR8rCFr86QSM6SjQziwrFZ6ZSumYICcDn5Oo6VKLDnjKYTzEr86keiclpMe4RBXfHIikzUgaJVDmWpDaPkPj0b1VV+1d3C1lgxVnME52eKMDp9Uyo6QOE3ia3MpectsMlzP01Yc8w9qw/jX68XKYPFISgKc62EubB7KFCKsjN/P+Qwidi6XoHI8PTYf9e3tYE2OOCd1D1y6eQjcEfbWoFj2ke+IMqCqWrkN/uynxNTvhGIuLwCvxiDMxod0DEYOFO6Kp1lFLGYzq8Fv2NV3NWLZZQ0Idl0C4MnoZrD/wX856XuaAYACi4jTAR50AerIahjPsxVyvBJJ0OqLXHtb/3KRweFqI35huD8YlTfLHGoRS91A/YZcwQdjNAVk8LWngQy/2Oy2B8/7fC6NioM/ss0PjoRkJA3DsfJKd0JJfzwKIvVGLEju9zqQTcC2q8ac48BMpxmcTkVlON79fEY6yEy+X5BwOBvGmXp0stTVx/XSsD83wTXx/UjKX9Bh7Hu3jKP4YN8/75tbA0BCk6TYoq/crwoMRPLJIxenwLmGhcRJvCVhqs7IxQAt1Crwjdlt+43FPArpTdOffUQS1vUoR6qmvp+7Xi4sObruOHq7FkDXXUOcymzH8B7g7wAsKCcO3D1OQSnrF3qxXGj833yplD4KK1Z902a9ZDkqnEBwRLHoGqXnFsTOwN/YAc+UPju7Eomp916+yhv9AhneacsY7beqV575NEWrdQ==
Content-Type: multipart/alternative; boundary="_000_VI1PR01MB70538205B38B6E1C9C665F35C7B29VI1PR01MB7053eurp_"
MIME-Version: 1.0
X-OriginatorOrg: wemonitoremail.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: VI1PR01MB7053.eurprd01.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 43a99d08-9750-4f41-c815-08da544aed6b
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jun 2022 12:30:01.3610 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a2b1d6fe-fc8b-4b7c-b9f1-d7b1ab3d23b3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Tr1q2a3+wd4Kcg03RNMhD9c3juB+smMreOMt+86xn7xv9/AvceikZM7FViWvRbpzfKMsBU5H5gTAY1TtHTK3zg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR01MB4204
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfbl/jGNn6RHmeRCInbLfMYkRg8MnBp8>
Subject: [Cfbl] Double DKIM signing
X-BeenThere: cfbl@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussions mailing list about Complaint Feedback Loop Address Header <cfbl.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cfbl>, <mailto:cfbl-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfbl/>
List-Post: <mailto:cfbl@ietf.org>
List-Help: <mailto:cfbl-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cfbl>, <mailto:cfbl-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jun 2022 12:30:12 -0000

First, I'd like to thank Jan-Philipp for all of the hard work they put in getting the first draft.

One thing that jumps out at me is the requirement for double DKIM signing (section 3.1.3). If I read this correctly, the draft requires that if the CFBL-Address domain is different to that of the 5322.From domain, then the message must also be DKIM signed using the 5322.From domain in order for the CFBL header to be considered valid. The draft claims that this is to ensure that the 5322.From domain owner consents to the CFBL-Address domain receiving reports.

Why is this desirable? In the most common use case for FBLs, that of a mail service provider adding the CFBL header with their own report address and sending messages on behalf of a sender's domain, the sender should not be able to decide what receivers can send complaints based on their messages. Surely that defeats the purpose of an FBL.

Further, the requirement for the 5322.From domain's signature to sign the CFBL headers makes optimistic assumptions about how much control senders may have over the first-hop MTAs which they use.

While there are other arguments for DKIM signing messages with the 5322.From domain, it shouldn't be a requirement for FBL reports to be generated.

Ken.

v2.23.0 | Report a Bug | By Email