IETF Logo Mail Archive

Re: [Cfbl] Double DKIM signing

Jan-Philipp Benecke <jpb@cleverreach.com> Tue, 28 June 2022 08:14 UTC

Return-Path: <jpb@cleverreach.com>
X-Original-To: cfbl@ietfa.amsl.com
Delivered-To: cfbl@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB963C157B5E for <cfbl@ietfa.amsl.com>; Tue, 28 Jun 2022 01:14:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.984
X-Spam-Level:
X-Spam-Status: No, score=-3.984 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-1.876, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cleverreach.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2T2xuz53FYbw for <cfbl@ietfa.amsl.com>; Tue, 28 Jun 2022 01:14:06 -0700 (PDT)
Received: from mail-ej1-x636.google.com (mail-ej1-x636.google.com [IPv6:2a00:1450:4864:20::636]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27D8EC15CF32 for <cfbl@ietf.org>; Tue, 28 Jun 2022 01:14:06 -0700 (PDT)
Received: by mail-ej1-x636.google.com with SMTP id h23so24025947ejj.12 for <cfbl@ietf.org>; Tue, 28 Jun 2022 01:14:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cleverreach.com; s=gsuite; h=subject:to:cc:references:from:autocrypt:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=KMAbvyiemvQXwgPXkyYs4eYlcNshg2eh+7fK+Dsjq60=; b=hK0HJCdCJqHCaG0wsVG84DOq6axKXgWglWWr2UwoW2BRAQypox6WocpV78apXCcdb9 lYEJYNKkLKuVuLf+wuVhzEkqP71Ibufbz1nt+dwU7GVsM1O5c7sCgVfcv7gH2YckOMmr IjVnGwvOky0RTJkdGv9SE5K+z4YzFHSrSIZJl47a9X+Hjo/YJtPd2ExSGiBqMKjova5Q oaw0UxO0k/r4ygva0UfXaJ+LDV2RdGD63HNr31J0oiwJh5uB+zRuNn7hypMWo9sn+Gma epSsR1wXPkD1R8dFtmwz7zGJ9x7OFZr1/DHvv/vaUwzgeBFYWU7vJ9boCMS9a1VYw1Zh 38og==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:to:cc:references:from:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language; bh=KMAbvyiemvQXwgPXkyYs4eYlcNshg2eh+7fK+Dsjq60=; b=hcKYoPU2MVxFtmGpQfr7VXjC/W7F0GqVHXNdu0iXM/iSMp7Bp2ogScD3ghCE1WPuTH l4WhZkjjE106/nEhDD3/+YoThuiHgW34W5LhY3Wrx7BMKh/zFLxoqsPQvsBaodD+kymx uWdM6q1fc0nGr0abVODdmn+VEDjLg7QU78Bz/9WMNVVh910RzRSFQw8smxBq2QOHjz4K F6iTu7sXAOmvgPr1GAGRRknzpkyoQbavl0WBljoUPnNUiXajL/pb+IxeIN6Bn3/h29s1 d3R49Rq1Vy8GuYiR3R1Q1vod+yMbLVvLZ94om0VeBjTzZUpceIn7AZCLc2Gx40ym066v yaSQ==
X-Gm-Message-State: AJIora9i2gnRX/ag3WxIPGxpACLqU1dQ4mQtuwTTAi6BEaCjgGhkcALT mRVXKuqS1DPH2yvXav8LrGmRS7+uTIrENA==
X-Google-Smtp-Source: AGRyM1sBPYzHyfyZRMT/uDEgZYQtbijvSYC0TF510Va1zQvASSSTdNE6oz+geY5PeIISY9TB9/Dhtw==
X-Received: by 2002:a17:907:3f1d:b0:726:c927:769b with SMTP id hq29-20020a1709073f1d00b00726c927769bmr3340901ejc.754.1656404043856; Tue, 28 Jun 2022 01:14:03 -0700 (PDT)
Received: from ?IPv6:2a01:c22:c999:c500:3918:8a5c:9608:ce90? (dynamic-2a01-0c22-c999-c500-3918-8a5c-9608-ce90.c22.pool.telefonica.de. [2a01:c22:c999:c500:3918:8a5c:9608:ce90]) by smtp.gmail.com with ESMTPSA id i3-20020a170906444300b006feec47dae7sm6178228ejp.149.2022.06.28.01.14.02 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 28 Jun 2022 01:14:03 -0700 (PDT)
To: Ken O'Driscoll <ken=40wemonitoremail.com@dmarc.ietf.org>
Cc: "cfbl@ietf.org" <cfbl@ietf.org>
References: <VI1PR01MB70538205B38B6E1C9C665F35C7B29@VI1PR01MB7053.eurprd01.prod.exchangelabs.com>
From: Jan-Philipp Benecke <jpb@cleverreach.com>
Autocrypt: addr=jpb@cleverreach.com; keydata= mQINBFrysUsBEADQYMZcxSR4I75JXuNQCL2eqapAsPU+AwiuGOBxHHdWdfbPyetairW9z28L 9Nf7xrqXgZdgOU3CEhEdUIdJwkYZqWnTuS9sdtF4Zbe0eT89UtAYlF4V5O27ubJV4Yw4X+yP 7B0ks9RBr0XnulL3G6rgh/qKDV7cOhBVn3+bk2EAuJ3Nx/EpZccPh9fAikOkw9Bd95FHtIOC hH/EyU05DP6dVNIg8q44mrFeOxymR65jb1rJEQZG2D8ElQzQ/Hr81aB0xaUd6Mz4lYwHhylY tFpcw0C6t9WqzyMFAMM8eqzZJryukuohvTCs61T/7O37FhzD0O64YR4aMbXJoX3E4fHcdMSh n/68oOIDE1IhiVLB41l83cIWLDx9AnhZ1nKMKh8g7cdZ5xcYlZKGG4NDpTSAbN3AXV6lEOLF AM4arGFSYOQOtd3op7FEsIwnpeBmTQARrV0A3TsaQoTTx25u9Xe9TwMAfu6IzJnt+X+Y8Kaq IdvtubAQEsVu637bxJAqVnvHPAdqMyvd2sjr9BU0n0tyQ/fufPwWGsXVsz9t0/16jo0l3ORe onBHWbD5S8oS8NWxtr9p86LHTYOZxfgMssgj1zK4HIVCf+L7rdGsSvWBMuVWyCicEKwO5OLh renbYSy7LztIpHerdJcY0M19Mw84tvZieiKH4pex1c8h1fSVqwARAQABtClKYW4tUGhpbGlw cCBCZW5lY2tlIDxqcGJAY2xldmVycmVhY2guY29tPokCTgQTAQgAOAIbAwULCQgHAgYVCgkI CwIEFgIDAQIeAQIXgBYhBGF3WDN09HEw1vB0N2DnHPTx60ODBQJbo0UIAAoJEGDnHPTx60OD DcUP/355SumVuKL2KEsWQymPekZcTMbw9UOYYYXGd3tIo1wRRug7x4HlYUsfda8e7KgOtyXX y+WoNEH/LGsEuVBSJATMivyePeh2YVeHZw4FN7CN9eZn/3Kk43s2blksUcNgbLWqONTREtXO 6tSOin+cUpEI984dDeeSOhogW93KHrNU2Y4DacLmD4xZaht8Ahi7TE9T+NkoknCq8NiG08cF Fc5sjsX13rDLdlsypGplrY6tfHaHctsJxw+G7SbzVyIZwiQBHxb32uy2ULvo8rQp3W3VeEcO 4loBSPtU8MJ/TGGn15rcRahmk+UTiB0KhaC82BgcZGK8jY5bcicPVMJY7/JDo3ZrqUKIOXtC nsiR0bCIi/E7XbFJvRi++2PKf7zTyC2Gcxra32CVeFB/7bGb0QUKTJ2VRIHDRtvQV8svAbYw ieTEZx7a3A362dDKbtPYK0WHysasgVE7KgXas2Er2HusHNAb+scMYQ2hSmUkxO36TrQNSEZN zetO+Ei6AKdEneCNUKmxn4FWKE/l9G7uSmNO8gyvA57nuH2MSHYWN02TNYeaZXRTRHMOtco2 21zUw7omDtZrCiPd4tdkx/Qa2HUtyaDvpSS7iaNZPcu/3HLFiH0TKGrMPcTQaQtgr/FWtNTw lB6CGc3ZB4Ja2H9ZKIOWbrHFt6rnGHFzg9K5XeY1uQINBFrysUsBEAC2/lZYqMjaOoffz4fX W5sg+tsTAyjECRBooB4PO7C1CkGn2ODlucYIpDV7C0svAv6aYIChoEvRpVVEp1jO/cr90Aqg M54m9pSO/qaH8eETTw9qRbivH2O8gxy0whLUhVP2D0SIsmyOKeFk/u/APGatTnhQeUpbgHBA xklWTOHcOntpIKoWPeAzMQfc6pQq5SqdV+M4a5P2T0WTGJ0jDjS2LNnt1h9EMetv1WW2pJ1E /yshxzi1NvOm2/GFLpDibxWUBHSZfQA4gFyqV5Z11mvPHpRwNuo1+9inGd3h8Lm5R/iB53ri erQfUlAX1n//FrbCWdxu5ySPa3WBBqxZPv3OFLHEu0rA1xFjSQHMcHRJ08vXU9TzH4DIc5xa eaLvd08IvUFZShLNDuQt+n4vbdpuPjhgb5uJGNf00XwaVUNpeb98pruRa1WZUjkq0GeTzJIK Aa0roskxCoZiEV7o1eLxI8g0sEIprHgrdLwCnEAYr3BiVdk5GK/gfrxD3nVqooAho2Bd4vFd Uw0R049hjFdrmGoXLD/S1Nrwc+rsenQ/OeXjN/ZxCqLy+okbMeFOySopkPcyBkmDwfq04Y6L NIjxq3q2v0H7e7rqvidUlfyMtmQgu/cknlMLPxS5sqDOMe5d/svsuI03os3ib4BEwg19AXgH EVwtN+2/FXCM4qUNuwARAQABiQI8BBgBCAAmFiEEYXdYM3T0cTDW8HQ3YOcc9PHrQ4MFAlry sUsCGwwFCQlmAYAACgkQYOcc9PHrQ4NIZA/9Hj3izcHSjvy0FWUG/eq00wX7nnAiU04IGaxZ O1jdv8b3KBBPLrA13bQOt3tAinfCzlUE/y6moJYBss8LFYqUZfO62DP6VL3zGjp4GY79avxk stS2MN6VcrTjP0AOFkru4B0DOvlTHZtVO1g3ft5453O28kSUym/jona13bGMtpHyGk/pmA/X TvRS8vYw1If9tkqViXV5x+RfRSM4q03poSdUsKXQbZVPgdqsfis6LXJz6mlL/Ophz8fUD7ll e4yY1Z/94TXzcw5A7xzu7gtw6ftqoDcp8ee4IZ6uxPqQfxdR8MOLgBt6oOlm64IkzqZ6Fcs2 kweZBSb1x1WzyRrDZr7qJtWrgGHbTfLR42sHCIYaeBWE5bCkOqS2l/jvTI68Bcq2ygz+7EYe Wdqr3PX+uZIVvbBYEG93Zj/qF2Bxyk47BhY6RdQJ08OMgoHdvA0rJFzmG2gJk0EDCw1mtR/m m5VyOPOctZYTuu3lhpzxeRWcl2ih3fR2lQw0ljB1W/pGf3bFiA0LbOrFwWeruZE49oLrolCE wAIM2yaFWaNcxpTskV4aPBPjhJTe5nd+2W99PT69TWx2IP2+j6DR4uQb+WR7IH0+dBW0Rdz2 UQ6JzZMjdhCywo3e61+L23N2FNle140YYSH1yH8l+2iRnqq4EvY0DkDqYpcLuNchXfDV5rY=
Message-ID: <a2056e56-79ce-273d-2bfe-4a6877afbbb0@cleverreach.com>
Date: Tue, 28 Jun 2022 10:14:00 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:52.0) Gecko/20100101 PostboxApp/7.0.56
MIME-Version: 1.0
In-Reply-To: <VI1PR01MB70538205B38B6E1C9C665F35C7B29@VI1PR01MB7053.eurprd01.prod.exchangelabs.com>
Content-Type: multipart/alternative; boundary="------------8A390697C3FD836DD3607870"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfbl/dmfalQTiLVEAgHYQI46UhLNMJyc>
Subject: Re: [Cfbl] Double DKIM signing
X-BeenThere: cfbl@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussions mailing list about Complaint Feedback Loop Address Header <cfbl.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cfbl>, <mailto:cfbl-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfbl/>
List-Post: <mailto:cfbl@ietf.org>
List-Help: <mailto:cfbl-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cfbl>, <mailto:cfbl-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jun 2022 08:14:10 -0000

Ken O'Driscoll schrieb am 22.06.22 um 14:30:
>
>  
>
> First, I’d like to thank Jan-Philipp for all of the hard work they put
> in getting the first draft.
>
>  
>
> One thing that jumps out at me is the requirement for double DKIM
> signing (section 3.1.3). If I read this correctly, the draft requires
> that if the CFBL-Address domain is different to that of the 5322.From
> domain, then the message must also be DKIM signed using the 5322.From
> domain in order for the CFBL header to be considered valid. The draft
> claims that this is to ensure that the 5322.From domain owner consents
> to the CFBL-Address domain receiving reports.
>
>  
>
> Why is this desirable? In the most common use case for FBLs, that of a
> mail service provider adding the CFBL header with their own report
> address and sending messages on behalf of a sender’s domain, the
> sender should not be able to decide what receivers can send complaints
> based on their messages. Surely that defeats the purpose of an FBL.
>
>  
>
> Further, the requirement for the 5322.From domain’s signature to sign
> the CFBL headers makes optimistic assumptions about how much control
> senders may have over the first-hop MTAs which they use.
>
>  
>
> While there are other arguments for DKIM signing messages with the
> 5322.From domain, it shouldn’t be a requirement for FBL reports to be
> generated.
>
>  
>
> Ken.
>
Thank you for your kind words and your feedback. I'm so sorry for the
late reply.

The original intent was to have both parties agree to receive FBL
messages via a third party address to prevent some sort of MITM attack.
For example, a malicious party changes the CFBL-Address to their domain
and signs it while transfer.
However, this is also possible with any other header that is not signed
with DKIM.

The following example considered valid then:

Return-Path: <sender@super-saas-mailer.com>
From: Awesome Newsletter <newsletter@example.com>
To: receiver@example.org
Subject: Super awesome deals for you
CFBL-Address: fbl@super-saas-mailer.com; report=arf
Message-ID: <a37e51bf-3050-2aab-1234-543a0828d14a@example.com>
Content-Type: text/plain; charset=utf-8
DKIM-Signature: v=1; a=rsa-sha256; d=super-saas-mailer.com; s=system;
       h=Subject:From:To:Message-ID:CFBL-Feedback-ID:CFBL-Address;

This way a mail service provider has the possibility to accept
pre-signed mails from their senders and inject its own FBL report address.

I think this makes much more sense, what do you think? If so, I would
change this with the next revision.

Again, thank you for bringing this up.

- JP

v2.23.0 | Report a Bug | By Email