Re: [dmarc-ietf] Debugging and preventing DKIM failures- suggestion
"Douglas E. Foster" <fosterd@bayviewphysicians.com> Fri, 31 May 2019 10:59 UTC
Return-Path: <btv1==05408f7c171==fosterd@bayviewphysicians.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E89EB12001B for <dmarc@ietfa.amsl.com>; Fri, 31 May 2019 03:59:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bayviewphysicians.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lwi12tVJmDB6 for <dmarc@ietfa.amsl.com>; Fri, 31 May 2019 03:59:35 -0700 (PDT)
Received: from mail.bayviewphysicians.com (mail.bayviewphysicians.com [216.54.111.133]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1CBA12007C for <dmarc@ietf.org>; Fri, 31 May 2019 03:59:34 -0700 (PDT)
X-ASG-Debug-ID: 1559300373-11fa3116c8270d60001-K2EkT1
Received: from webmail.bayviewphysicians.com (smartermail4.bayviewphysicians.com [192.168.1.49]) by mail.bayviewphysicians.com with ESMTP id TMO1dlusCKabSb3b (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NO); Fri, 31 May 2019 06:59:33 -0400 (EDT)
X-Barracuda-Envelope-From: fosterd@bayviewphysicians.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.1.49
X-ASG-Whitelist: Client
X-SmarterMail-Authenticated-As: fosterd@bayviewphysicians.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bayviewphysicians.com; s=s1025; h=message-id:reply-to:subject:to:from; bh=gyM/0NivmA8uSBtakqgFcIcZ72/9ezj2HIsxyoACEYE=; b=eTmR0K4rXrwhsYJr3HmspnODHhyO7rzKBowze13Ho4piUVGia/wS9mzoHAYzPKleT NQO+5Vyv+ZXCDb64355c5ggygQnuR3L/XqtJN2ZPiip3cWVBWczaln46BRd6drL79 mhwTjCPQqI/pKpVsZKkChpcBfBaMmjgFX/PUXxK2A=
Received: by webmail.bayviewphysicians.com via HTTP; Fri, 31 May 2019 06:59:24 -0400
From: "Douglas E. Foster" <fosterd@bayviewphysicians.com>
To: dcrocker@bbiw.net
CC: IETF DMARC WG <dmarc@ietf.org>
Date: Fri, 31 May 2019 06:59:24 -0400
X-ASG-Orig-Subj: Re: [dmarc-ietf] Debugging and preventing DKIM failures- suggestion
Reply-To: fosterd@bayviewphysicians.com
Message-ID: <f5106924930f41c5bd83a709e4307f8b@bayviewphysicians.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="b2e7211659294a7abe6c0f3285845de8"
X-Originating-IP: [192.168.1.239]
In-Reply-To: <1931a4e4-7112-56ae-24e6-b138466392b4@dcrocker.net>
References: <54FB29A0-517A-430E-AF5B-CB079CC3D7F6@aegee.org> <20190526144848.08A772014A0BF4@ary.qy> <CAL0qLwbxwLTpgYJN9qBTzi2oN1EMvAYuNoDbw5Rx5W46-WNyLA@mail.gmail.com> <alpine.OSX.2.21.9999.1905301712140.76792@ary.qy> <c559a331d90b49eba5b5f6e35ff4774a@bayviewphysicians.com> <1931a4e4-7112-56ae-24e6-b138466392b4@dcrocker.net>
X-Exim-Id: f5106924930f41c5bd83a709e4307f8b
X-Barracuda-Connect: smartermail4.bayviewphysicians.com[192.168.1.49]
X-Barracuda-Start-Time: 1559300373
X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA384
X-Barracuda-URL: https://mail.bayviewphysicians.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at bayviewphysicians.com
X-Barracuda-Scan-Msg-Size: 10039
X-Barracuda-BRTS-Status: 1
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/AsmuogU4KeRLSz-kTiarHv75F1U>
Subject: Re: [dmarc-ietf] Debugging and preventing DKIM failures- suggestion
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 May 2019 10:59:38 -0000
I cannot speak to IETF consensus, since I am new to that process and I seem to be an outlier already. Agency and signatures are well understood legal concepts. 3000 years ago, people sealed their letters with a signet ring stamped in warm clay. Signing technologies have changed in that time, but the principle has not. A courier is responsible for keeping the signed and sealed part of a message unaltered. Envelope marks are acceptable. A digital signature is supposed to provide non-repudiation. If I submit a signed message to a list processor, and the list processor voids the signature, it has given me verifiable repudiation, the opposite of what either sender or receiver want. A closed group on a single server can use whatever rules they choose to implement in that community. For example, a web forum operates on the rules of the forum operator. However, an open group using the email infrastructure has to work within the infrastructure it uses. In the email infrastructure, the recipient has to deal with fraud, and any recipient accommodation to "harmless" fraud facilitates the people who are doing "harmful" fraud to that recipient. There are some obvious use-cases for MTA changes to a message, and we would do well to document and address them. The first that comes to mind is MTA comment fields. - A list processor wants to add a comment indicating something about the list that sent it. - A spam filter wants to add a tag indicating that the message is suspicious, but not sufficiently suspicious to be blocked. IETF would do well to specify a mechanism for MTAs to add information which MUAs present to the user, while identifiying that that the information came from the MTA rather than the original sender. Another use-case is related to body sections. IETF only forwards plain text, while most email solutions send messages in HTML+Text. I assume that IETF also drops attachments. DKIM cannot handle this because it hashes the entire body. A signature system that signed each section individually would allow sections to be dropped, with notification to the user, without breaking the signatures on the other MIME types. DKIM was supposed to provide sender authentication when SPF was invalidated by forwarding, so DMARC said that the two techniques should be evaluated together. I am realizing that if SPF is invalidated, DKIM is probably invalidated as well, so we have no usable sender authentication technology. This may explain why so many products that I have examined lack support for DMARC or lack good exception mechanisms for SPF, DKIM, and DMARC. It seems that email needs something like "DNS Flag Day", where major players announce a date after which certain behaviors that will no longer be tolerated. But as others have said, IETF is not that organization, and the organization may not exist. More discouraged than ever, Doug Foster ---------------------------------------- From: "Dave Crocker" <dhc@dcrocker.net> Sent: Friday, May 31, 2019 12:41 AM To: fosterd@bayviewphysicians.com Cc: "IETF DMARC WG" <dmarc@ietf.org> Subject: Re: [dmarc-ietf] Debugging and preventing DKIM failures- suggestion On 5/30/2019 7:49 PM, Douglas E. Foster wrote: > I rather hoped that IETF would be the poster-boy for list processing > done correctly. "Correctly"? A message to a list is 'delivered' to the list. As in, it goes to the specified addresse... the list. A message from a list has been re-posted by the list. There are no constraints on the changes that are permitted to a message, before it is re-posted. There are no specifications that limit or direct the behaviors of a list processor. Different groups want and probably need different behaviors by a list processor. Periodic efforts to create such constraints have failed. So while it would certainly make things easier to have list processors behave in a simple, consistent manner, there's ample evidence that ain't gonna happen. If you can link the 'correctly' you are suggesting, to some documented, community consensus, please cite it. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net
- [dmarc-ietf] Debugging and preventing DKIM failur… Douglas E. Foster
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Дилян Палаузов
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Murray S. Kucherawy
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John R Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Douglas E. Foster
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dave Crocker
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Douglas E. Foster
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dotzero
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Doug Foster
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John R Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dave Crocker
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dave Crocker
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dave Crocker
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Hector Santos
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Hector Santos
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Elizabeth Zwicky
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Hector Santos
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Stan Kalisch