Re: [dmarc-ietf] DNS library queries for DKIM and DMARC records?
"Chris Newman" <chris.newman@oracle.com> Thu, 16 May 2019 14:06 UTC
Return-Path: <chris.newman@oracle.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E9781200EC for <dmarc@ietfa.amsl.com>; Thu, 16 May 2019 07:06:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level:
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O_tdpO-yW_eJ for <dmarc@ietfa.amsl.com>; Thu, 16 May 2019 07:06:30 -0700 (PDT)
Received: from userp2130.oracle.com (userp2130.oracle.com [156.151.31.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 280EF12008F for <dmarc@ietf.org>; Thu, 16 May 2019 07:06:30 -0700 (PDT)
Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x4GDs0AI090765; Thu, 16 May 2019 14:06:25 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-type : content-transfer-encoding; s=corp-2018-07-02; bh=yM07u5c65TKjkjQAdWKZAfpGbGHfDEIw/b9u+9WgFbM=; b=nDKMFLQ6Xc+4dFCrWgILols9pPKkYeh3RwEx8FubogjU0Zcmvvw5k6m7TkfFqs2bHnZT aRNrcV7BaNXuBg7tCJ2UmE2Cr3x4VYcwWKPX0CcBCYpS1ucTkGBj6MM+buL0J2ZSIrk4 YrUtaBIQ+8m63h1WZqyo3AbYvTpRs0G3ZXOD9w5aYgBIkK2khKKLd9wJP1yCjjEpUKCD seqR24dMx5XgDlL/ksC5SOjHORpLfLRFYvoMhFTWEiL/dgwULFgOm2bLuKrG+o4kjL2E RQEOOMo6JDF5hi1ps0PMxC+A723AUewyNTciHh1U8c8KUKdC9YitUHWKIOogdri0XUAr mg==
Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by userp2130.oracle.com with ESMTP id 2sdntu3p9j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 16 May 2019 14:06:25 +0000
Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x4GE6Fbt070642; Thu, 16 May 2019 14:06:25 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userp3030.oracle.com with ESMTP id 2sgkx43q60-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 16 May 2019 14:06:24 +0000
Received: from abhmp0022.oracle.com (abhmp0022.oracle.com [141.146.116.28]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id x4GE6NS2009903; Thu, 16 May 2019 14:06:23 GMT
Received: from [10.39.240.74] (/10.39.240.74) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 16 May 2019 14:06:23 +0000
From: Chris Newman <chris.newman@oracle.com>
To: Doug Foster <fosterd@bayviewphysicians.com>
Cc: Dave Crocker <dcrocker@gmail.com>, IETF DMARC WG <dmarc@ietf.org>
Date: Thu, 16 May 2019 10:06:18 -0400
X-Mailer: MailMate (1.12.4r5594)
Message-ID: <49301D00-1881-4A86-B7E5-AC0B6272B34B@oracle.com>
In-Reply-To: <000401d50b27$dbb5c310$93214930$@bayviewphysicians.com>
References: <571ce243-a8b0-094d-0d59-06f1432bd741@gmail.com> <000401d50b27$dbb5c310$93214930$@bayviewphysicians.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9258 signatures=668687
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1905160092
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9258 signatures=668687
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1905160092
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/43HhXEVoOKZsD9ii1a7zKpUFrBA>
Subject: Re: [dmarc-ietf] DNS library queries for DKIM and DMARC records?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 May 2019 14:06:33 -0000
If you're doing this analysis, I think it may be helpful to the community if you share test vector messages. Data variations that trigger a bug in one implementation might cause issues with other implementations and thus may be helpful as a public test vector to improve overall implementation quality. - Chris On 15 May 2019, at 10:09, Doug Foster wrote: > I have recently begun evaluating my incoming traffic for DKIM status, > and I > suspect the results are relevant to your question. > > These results are based on 768 unique domains, on signed messages, > received > over a few adjacent days. Messages that were blocked for any reason > are > excluded from the analysis. (I am not blocking based on DKIM status). > > 22 2.9% have DKIM signatures but fail verification 100% > 15 2.0% have some DKIM verification failures > > 7 0.9% have 100% rejection due to DNS record syntax errors > 1 0.1% have some rejections due to DNS record syntax errors > > 10 1.3% have 100% DKIM TXT lookup failures > 1 0.1% have some DKIM TXT lookup failures > --- ---- > 57 7.3% have DKIM problems > > This failure rate is much higher than I would have expected. > > When DKIM verification failures are detected, several possibilities > must be > considered: > - an error exists in the signature generation algorithm at the source > system > - modification or addition of a signed header during transit > - an error exists in the signature verification algorithm at the > receiving > system > > We receive very little indirect mail, so I believe that forwarding is > not a > significant contributor to these problems. > > For this type of debugging, it would be helpful if the receiving > system > logged the message exactly as it was used for signature verification. > This > would permit independent verification using a tool such as the message > header checker at MxToolbox.com. For the devices that I manage, this > is > not the case. Some of the devices do not log the full message at > all. The > one that does full logging only logs the message as it is relayed > outbound. > > My research also exposed a probable data-related bug on one mail > server, > which causes it to generate incorrect signatures on a small percentage > of > our outbound traffic. I will be working with the vendor on that. > > Doug Foster > > > > > > > -----Original Message----- > From: dmarc [mailto:dmarc-bounces@ietf.org] On Behalf Of Dave Crocker > Sent: Wednesday, April 10, 2019 3:37 PM > To: IETF DMARC WG > Subject: [dmarc-ietf] DNS library queries for DKIM and DMARC records? > > Folks, > > Howdy. > > I'm trying to get a bit of education about reality. Always dangerous, > but > I've no choice... > > > For the software you know about, how are queries to the DNS performed, > to obtain the TXT records associated with DKIM and/or DMARC? > > I'm trying to understand the breadth and limitations of returned > information that is filtered or passed by the code that is actually in > use. Which libraries and which calls from those libraries. > > > Thanks. > > d/ > > -- > Dave Crocker > Brandenburg InternetWorking > bbiw.net > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_dmarc&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=K_BObr5Kfkr3rxt1oBPF9KFiEU3xl9LcD2OOJG3TXfI&m=grA_44LyxvKqiGTJiOi4rnAkWUvPWq5Awl5rt-CqST0&s=PGbGkqcDa8b82pmdZS8i0mfVHJnKbSANGptAyHzeEtc&e= > > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_dmarc&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=K_BObr5Kfkr3rxt1oBPF9KFiEU3xl9LcD2OOJG3TXfI&m=grA_44LyxvKqiGTJiOi4rnAkWUvPWq5Awl5rt-CqST0&s=PGbGkqcDa8b82pmdZS8i0mfVHJnKbSANGptAyHzeEtc&e=
- [dmarc-ietf] DNS library queries for DKIM and DMA… Dave Crocker
- Re: [dmarc-ietf] DNS library queries for DKIM and… Scott Kitterman
- Re: [dmarc-ietf] DNS library queries for DKIM and… Murray S. Kucherawy
- Re: [dmarc-ietf] DNS library queries for DKIM and… Dave Crocker
- Re: [dmarc-ietf] DNS library queries for DKIM and… Scott Kitterman
- Re: [dmarc-ietf] DNS library queries for DKIM and… Scott Kitterman
- Re: [dmarc-ietf] DNS library queries for DKIM and… John Levine
- Re: [dmarc-ietf] DNS library queries for DKIM and… Dave Crocker
- Re: [dmarc-ietf] DNS library queries for DKIM and… John R Levine
- Re: [dmarc-ietf] DNS library queries for DKIM and… Dave Crocker
- Re: [dmarc-ietf] DNS library queries for DKIM and… Doug Foster
- Re: [dmarc-ietf] DNS library queries for DKIM and… Chris Newman