Re: [dmarc-ietf] Which DKIM(s) should be reported? (Ticket #38)

Alessandro Vesely <> Mon, 25 January 2021 18:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DAA543A171C for <>; Mon, 25 Jan 2021 10:25:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.221
X-Spam-Status: No, score=-0.221 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1152-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7M9-KNsZjqmR for <>; Mon, 25 Jan 2021 10:25:58 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 567463A171B for <>; Mon, 25 Jan 2021 10:25:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=delta; t=1611599155; bh=d6fplJWl82RFTsk+ZeUXQaH2wfQA7KNAsKYVsaUstEY=; l=1773; h=To:References:From:Date:In-Reply-To; b=AMl9zcZ3frsvsBpTtEah/7v/1WcJKvfoQ4efLAXEUG4fI0zEGnvcAiN0OQuFtRQd2 BwfgZvscH0A114W+pgYvN+ybOGPNyc2OZEuUgzFd/F/DCRoNelSUiC19sham1c5AEL 58WqUwDSkxNrS8Rg2pA4rs1/rCdFJS86UX4nobzVKQgTfDkRl+AtVoJqVNx+i
Authentication-Results:; auth=pass (details omitted)
Original-From: Alessandro Vesely <>
Received: from [] (pcale.tana []) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by with ESMTPSA id 00000000005DC0E0.00000000600F0D33.00000245; Mon, 25 Jan 2021 19:25:55 +0100
References: <>
From: Alessandro Vesely <>
Message-ID: <>
Date: Mon, 25 Jan 2021 19:25:53 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [dmarc-ietf] Which DKIM(s) should be reported? (Ticket #38)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 25 Jan 2021 18:26:00 -0000

On Mon 25/Jan/2021 01:25:13 +0100 Brotman, Alex wrote:
> Some time ago, an issue[1] was brought to the list where which DKIM(s) being reported is not clear in RFC7489 [2].  There was a short discussion, though no clear resolution before conversation trailed off.  It seems like there were points that may need to be discussed.  One was whether the reporting SHOULD report all signatures, regardless of alignment or validity, or perhaps just the one that aligns (if there is one).

I think that, in principle, it is good to report all signatures.  Within a 
report, signatures should be ordered by importance.  If the number of 
signatures per report is limited, it is paramount that they be ordered, so that 
the most important ones are reported.

How to define importance is subjective.  A report generators decides the order 
based on internal policies or criteria.  The order in which signatures are 
reported is an additional information, as if each record contained a sort of 
approval index, irrespective of the total number of signatures being reported.

For example, my report generator orders signatures by domain, putting author's 
domain first, and then taking into account alignment and a sort of reputation. 
  That's the order in which validation is attempted.  Afterwards, valid 
signatures are put before invalid ones.  The number of reported signatures is 
limited to 4, because of SQL query limits (the query itself is configurable; it 
does a number of LEFT JOIN, which can be increased.)

>  There was also another question if there should be a limit to the number of signatures reported so that it remains sane.

Yes, I think it's sane to put a limit.  I'd reject messages with more than 128 
signatures.  It never happened.