[dmarc-ietf] Debugging and preventing DKIM failures- suggestion
"Douglas E. Foster" <fosterd@bayviewphysicians.com> Sun, 26 May 2019 12:22 UTC
Return-Path: <btv1==0498d9d9e55==fosterd@bayviewphysicians.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABCA012006E for <dmarc@ietfa.amsl.com>; Sun, 26 May 2019 05:22:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bayviewphysicians.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GBPovdH5qSmk for <dmarc@ietfa.amsl.com>; Sun, 26 May 2019 05:22:35 -0700 (PDT)
Received: from mail.bayviewphysicians.com (mail.bayviewphysicians.com [216.54.111.133]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1265120020 for <dmarc@ietf.org>; Sun, 26 May 2019 05:22:35 -0700 (PDT)
X-ASG-Debug-ID: 1558873353-11fa3116c81aaf90001-K2EkT1
Received: from webmail.bayviewphysicians.com (smartermail4.bayviewphysicians.com [192.168.1.49]) by mail.bayviewphysicians.com with ESMTP id pHOfAjjNtPALcW9Q (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NO) for <dmarc@ietf.org>; Sun, 26 May 2019 08:22:33 -0400 (EDT)
X-Barracuda-Envelope-From: fosterd@bayviewphysicians.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.1.49
X-ASG-Whitelist: Client
X-SmarterMail-Authenticated-As: fosterd@bayviewphysicians.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bayviewphysicians.com; s=s1025; h=message-id:reply-to:subject:to:from; bh=ys5nqNV0zB4jagJhOMunop6R468ITpo2V4eHkJOMOuU=; b=RzaShgr3QMt8b7ZkIcmW2Pxn6iXzTB0tMXmgyhhroeHGpD7/p8TBt/k8fitKTcrez oZe8Ts69HDFtwKRCNeUCVUNRnVX9/NQx2lnGPOas9e6o3WboZdhuaK4Q7rYkqWQjp xfBSH5RmIsHkEUY7p8KpwRVRlhzSa4gVXPLvmwxQ8=
Received: by webmail.bayviewphysicians.com via HTTP; Sun, 26 May 2019 08:22:25 -0400
From: "Douglas E. Foster" <fosterd@bayviewphysicians.com>
To: dmarc@ietf.org
Date: Sun, 26 May 2019 08:22:25 -0400
X-ASG-Orig-Subj: Debugging and preventing DKIM failures- suggestion
Reply-To: fosterd@bayviewphysicians.com
Message-ID: <433a2fcbcab9452d8ca4b3ac99dc5b71@bayviewphysicians.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="ecf6790311b34b3f8ac2d72534e92b5a"
X-Originating-IP: [192.168.71.218]
X-Exim-Id: 433a2fcbcab9452d8ca4b3ac99dc5b71
X-Barracuda-Connect: smartermail4.bayviewphysicians.com[192.168.1.49]
X-Barracuda-Start-Time: 1558873353
X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA384
X-Barracuda-URL: https://mail.bayviewphysicians.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at bayviewphysicians.com
X-Barracuda-Scan-Msg-Size: 5660
X-Barracuda-BRTS-Status: 1
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/GdAyg6qhG95cWotFMCPqvqoLlIc>
Subject: [dmarc-ietf] Debugging and preventing DKIM failures- suggestion
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 May 2019 12:23:26 -0000
Problem DKIM verification failures are difficult to debug because the recipient cannot detect where the problem occurred or why. Proposed Solutions 1) Identify the point of failure It would seem helpful to support a DKIM trace record that a device can use to indicate that it detected a DKIM failure. I am suggesting a header of the form "DKIM-InputFail", followed by the contents of the signature header that could not be verified. This puts an upper bound on the location of the problem. (Once the failure is documented, it should not be repeated by downstream servers.) A downstream MTA is still free to evaluate the original signature. For example, an intermediate MTA may have reported the failure incorrectly because of a software bug. 2) Recover from Subject header changes that break signatures. One expected cause of DKIM verification errors is Subject header modification, either by spam filters or by list servers. These types of changes can also be mitigated by trace headers. If a device makes a change to the subject, it should add headers for "Subject-AsReceived" and "Subject-AsSent". Any downstream system can then reconstruct which header text was in place when any signature was applied, regardless of how many Subject header changes occur during transmission. Downstream servers would also have the option of restoring the Subject header to its original value. This would be appropriate when the Subject was tagged by the spam filter upon arrival to an administrative domain, and then is auto-forwarded to a different administrative domain. If the outbound MTA restores the original subject, it increases the likelihood that the message will be accepted downstream. The concept could be applied to other headers. For example, I have seen messages with DKIM failures because an auto-forward server replaced the internal Message-ID with one of its own. I don't know if there are legitimate reasons for intermediate MTAs to tamper with other headers.
- [dmarc-ietf] Debugging and preventing DKIM failur… Douglas E. Foster
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Дилян Палаузов
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Murray S. Kucherawy
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John R Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Douglas E. Foster
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dave Crocker
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Douglas E. Foster
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dotzero
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Doug Foster
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John R Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dave Crocker
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dave Crocker
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Dave Crocker
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… John Levine
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Hector Santos
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Hector Santos
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Elizabeth Zwicky
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Hector Santos
- Re: [dmarc-ietf] Debugging and preventing DKIM fa… Stan Kalisch