IETF Logo Mail Archive

[dmarc-ietf] Debugging and preventing DKIM failures- suggestion

"Douglas E. Foster" <fosterd@bayviewphysicians.com> Sun, 26 May 2019 12:22 UTC

Return-Path: <btv1==0498d9d9e55==fosterd@bayviewphysicians.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABCA012006E for <dmarc@ietfa.amsl.com>; Sun, 26 May 2019 05:22:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bayviewphysicians.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GBPovdH5qSmk for <dmarc@ietfa.amsl.com>; Sun, 26 May 2019 05:22:35 -0700 (PDT)
Received: from mail.bayviewphysicians.com (mail.bayviewphysicians.com [216.54.111.133]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1265120020 for <dmarc@ietf.org>; Sun, 26 May 2019 05:22:35 -0700 (PDT)
X-ASG-Debug-ID: 1558873353-11fa3116c81aaf90001-K2EkT1
Received: from webmail.bayviewphysicians.com (smartermail4.bayviewphysicians.com [192.168.1.49]) by mail.bayviewphysicians.com with ESMTP id pHOfAjjNtPALcW9Q (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NO) for <dmarc@ietf.org>; Sun, 26 May 2019 08:22:33 -0400 (EDT)
X-Barracuda-Envelope-From: fosterd@bayviewphysicians.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.1.49
X-ASG-Whitelist: Client
X-SmarterMail-Authenticated-As: fosterd@bayviewphysicians.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bayviewphysicians.com; s=s1025; h=message-id:reply-to:subject:to:from; bh=ys5nqNV0zB4jagJhOMunop6R468ITpo2V4eHkJOMOuU=; b=RzaShgr3QMt8b7ZkIcmW2Pxn6iXzTB0tMXmgyhhroeHGpD7/p8TBt/k8fitKTcrez oZe8Ts69HDFtwKRCNeUCVUNRnVX9/NQx2lnGPOas9e6o3WboZdhuaK4Q7rYkqWQjp xfBSH5RmIsHkEUY7p8KpwRVRlhzSa4gVXPLvmwxQ8=
Received: by webmail.bayviewphysicians.com via HTTP; Sun, 26 May 2019 08:22:25 -0400
From: "Douglas E. Foster" <fosterd@bayviewphysicians.com>
To: dmarc@ietf.org
Date: Sun, 26 May 2019 08:22:25 -0400
X-ASG-Orig-Subj: Debugging and preventing DKIM failures- suggestion
Reply-To: fosterd@bayviewphysicians.com
Message-ID: <433a2fcbcab9452d8ca4b3ac99dc5b71@bayviewphysicians.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="ecf6790311b34b3f8ac2d72534e92b5a"
X-Originating-IP: [192.168.71.218]
X-Exim-Id: 433a2fcbcab9452d8ca4b3ac99dc5b71
X-Barracuda-Connect: smartermail4.bayviewphysicians.com[192.168.1.49]
X-Barracuda-Start-Time: 1558873353
X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA384
X-Barracuda-URL: https://mail.bayviewphysicians.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at bayviewphysicians.com
X-Barracuda-Scan-Msg-Size: 5660
X-Barracuda-BRTS-Status: 1
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/GdAyg6qhG95cWotFMCPqvqoLlIc>
Subject: [dmarc-ietf] Debugging and preventing DKIM failures- suggestion
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 May 2019 12:23:26 -0000

 
  Problem
  
 DKIM verification failures are difficult to debug because the recipient 
cannot detect where the problem occurred or why.
  
 Proposed Solutions
  
 1) Identify the point of failure
  
 It would seem helpful to support a DKIM trace record that a device can use 
to indicate that it detected a DKIM failure.  I am suggesting a header of 
the form "DKIM-InputFail", followed by the contents of the signature header 
that could not be verified.  This puts an upper bound on the location of 
the problem.  (Once the failure is documented, it should not be repeated by 
downstream servers.)
  
 A downstream MTA is still free to evaluate the original signature.   For 
example, an intermediate MTA may have reported the failure incorrectly 
because of a software bug.   
  
 2) Recover from Subject header changes that break signatures.
  
 One expected cause of DKIM verification errors is Subject header 
modification, either by spam filters or by list servers.   These types of 
changes can also be mitigated by trace headers.   If a device makes a 
change to the subject, it should add headers for "Subject-AsReceived" and 
"Subject-AsSent".  Any downstream system can then reconstruct which header 
text was in place when any signature was applied, regardless of how many 
Subject header changes occur during transmission.
  
 Downstream servers would also have the option of restoring the Subject 
header to its original value.   This would be appropriate when the Subject 
was tagged by the spam filter upon arrival to an administrative domain, and 
then is auto-forwarded to a different administrative domain.   If the 
outbound MTA restores the original subject, it increases the likelihood 
that the message will be accepted downstream.  
  
 The concept could be applied to other headers.   For example, I have seen 
messages with DKIM failures because an auto-forward server replaced the 
internal Message-ID with one of its own.   I don't know if there are 
legitimate reasons for intermediate MTAs to tamper with other headers.

v2.23.0 | Report a Bug | By Email