IETF Logo Mail Archive

[dmarc-ietf] Why does DKIM fail when SPF succeeds (was: DMARC2 & SPF Dependency Removal)

Matthäus Wander <mail@wander.science> Sun, 23 July 2023 20:05 UTC

Return-Path: <mail@wander.science>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 611CFC14CF05 for <dmarc@ietfa.amsl.com>; Sun, 23 Jul 2023 13:05:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wander.science header.b="f038+icu"; dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=wander.science header.b="oW5JQWHO"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q-1-FdXRnq0k for <dmarc@ietfa.amsl.com>; Sun, 23 Jul 2023 13:05:47 -0700 (PDT)
Received: from mail.swznet.de (cathay.swznet.de [IPv6:2a01:4f8:13b:2048::113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADCACC14EB19 for <dmarc@ietf.org>; Sun, 23 Jul 2023 13:05:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=wander.science; s=2023-05-rsa; h=Subject:Content-Transfer-Encoding: Content-Type:In-Reply-To:From:References:To:MIME-Version:Date:Message-ID:Cc: Sender:Reply-To; bh=uFeaJH6XMSi4p7B7BhTbctSx5FyTU1HcuV74mU/dMVo=; b=f038+icut qiSjRbjeRqHxi+E5fHgm01TVkebYnI/tH2OG4AxeqnOfav2qruzW6SO7NWOigMazpXiLw4AEBUmxE 9cV9J3rXNwQvIaeOsATKzjSx0+eC3GVPRPpXYDtaeZKteydjWSOVN+NsAOgrvZhNYAiCIuIQrdpL7 Wr7UGtBq3oDbh/rQDn6ADGre/NnbA/zXgYdHMJL/Q/yEzkh6jOSLHxqFCe6BFo6ZKAdsbMjPRqQ0M KF8n+J4i+S0snOQ9XF2SeGnj9Fly0wTIuD2575P6e7RBXQPUbfdrzRquQ2voY4jWeKhfjcuIKGuYA EFQHqmVYfrBOnnqr3ly0/iWfQ==;
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=wander.science; s=2023-05-ed25519; h=Subject:Content-Transfer-Encoding: Content-Type:In-Reply-To:From:References:To:MIME-Version:Date:Message-ID:Cc: Sender:Reply-To; bh=uFeaJH6XMSi4p7B7BhTbctSx5FyTU1HcuV74mU/dMVo=; b=oW5JQWHO+ 1c7EMPlow6UvfVkbIDrO2OTOSWL/e3wwFU4egPFOWA/LiSwxtvX1BWQ2IxWKQmOdQ6iUjhZlkOMCA ==;
Received: from dynamic-2a01-0c22-c007-3300-111c-b3cc-21c5-8c3f.c22.pool.telefonica.de ([2a01:c22:c007:3300:111c:b3cc:21c5:8c3f]) by mail.swznet.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <mail@wander.science>) id 1qNfKq-003GR8-LD for dmarc@ietf.org; Sun, 23 Jul 2023 22:05:45 +0200
Message-ID: <dd0661c0-e476-62b4-fe7a-8ec4d1a62818@wander.science>
Date: Sun, 23 Jul 2023 22:05:44 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0
To: dmarc@ietf.org
References: <30BB83B2-B454-41B8-992B-8E2569802D9C@1und1.de> <D225D7FC-C570-4B63-A694-9F16DB1F33E1@kitterman.com> <CALaySJKwuOK-81dW2H9dtURxa5mLQDUNo+MWcs+Hho8N+yP9qg@mail.gmail.com> <2817813.dRqVH37e0G@localhost> <CALaySJJbPFBAV_7mZaARYWuMzuX+74r2Cm0jD+z92_iuFRn_MQ@mail.gmail.com>
Content-Language: en-US
From: Matthäus Wander <mail@wander.science>
In-Reply-To: <CALaySJJbPFBAV_7mZaARYWuMzuX+74r2Cm0jD+z92_iuFRn_MQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-SA-Exim-Connect-IP: 2a01:c22:c007:3300:111c:b3cc:21c5:8c3f
X-SA-Exim-Mail-From: mail@wander.science
X-SA-Exim-Version: 4.2.1 (built Sat, 13 Feb 2021 17:57:42 +0000)
X-SA-Exim-Scanned: Yes (on mail.swznet.de)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/817vGVfkkLkDee1yE4RltGT1GyQ>
Subject: [dmarc-ietf] Why does DKIM fail when SPF succeeds (was: DMARC2 & SPF Dependency Removal)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Jul 2023 20:05:52 -0000

Barry Leiba wrote on 2023-06-10 01:50:
> That's interesting and disturbing if it remains consistent.
> Theoretically, DKIM should *never* fail when SPF succeeds, so if
> that's happening it means there is:
> 1. bad signing software,
> 2. bad verifying software,
> 3. misconfiguration somewhere,
> ...or a combination of those three.
> 
> I would *really* like to see a current study of this, because I think
> it's critical for the future viability of DMARC, whether or not we
> accept the proposal to remove SPF.
Not a study, but some data points I've observed:

a) Signing with 3072-bit RSA leads to DKIM verification failures, 
because a popular mail gateway product (Cisco ESA) does not support RSA 
key lengths larger than 2048 bit.

b) Messages are generated by an automated system without a Date header 
and signed by a central MTA. An outgoing mail gateway then adds the 
missing Date header (Postfix option 'always_add_missing_headers'), thus 
invalidating the DKIM signature.

Such misconfigurations go unnoticed for years until someone checks the 
DMARC reports. While aggregate reports are incredibly helpful, it is 
still difficult to identify the cause of subtle DKIM failures. I'd wish 
that the <human_result> field would be filled by reporting software with 
the DKIM verification error message ('body hash did not verify', etc.) 
to aid with troubleshooting.

Contacting the report <email> or postmaster address has never worked for 
me: if they don't bounce, nobody replies.

c) There is a pattern of similar looking reports, which omit the <dkim> 
element in the <auth_results> altogether and always report 
<dkim>fail</dkim> in the policy result. I suspect a product, which makes 
it a bit too easy to enable DMARC validation without also enabling DKIM 
verification, but I wasn't able to identify the product yet.

Regards,
Matt

v2.23.0 | Report a Bug | By Email