Re: [dmarc-ietf] Which DKIM(s) should be reported? (Ticket #38)

Alessandro Vesely <> Wed, 27 January 2021 12:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B7DCC3A0FEB for <>; Wed, 27 Jan 2021 04:33:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.121
X-Spam-Status: No, score=-2.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1152-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id p4fAxEd4tlxx for <>; Wed, 27 Jan 2021 04:33:55 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 713333A0FDE for <>; Wed, 27 Jan 2021 04:33:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=delta; t=1611750831; bh=QIl73DSQD5SOwg8fsE9t7HdVI9dRNmmCWWcvN50vOe4=; l=2076; h=To:References:From:Date:In-Reply-To; b=DV2ldsnnB4e6Ie2W4dUxttoKcmfde7spjxrdy/7AcVPq1fYjFt9UkgNt7Z/eIRwQ8 E3xYfQ4iZccwMGSVq6mNGC4QpOt91s6m7MSQZzEd/AQtnkpLhnrtukb8EEnCizfqEl h5JmIhL5QUvK4gsVy+9O1tg1gO/Arzg/8AP2zftQjjg4Eofx/zVjV3sShXJKL
Authentication-Results:; auth=pass (details omitted)
Original-From: Alessandro Vesely <>
Received: from [] (pcale.tana []) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by with ESMTPSA id 00000000005DC053.0000000060115DAF.000037F3; Wed, 27 Jan 2021 13:33:51 +0100
To: Douglas Foster <>, IETF DMARC WG <>
References: <> <> <> <> <> <> <>
From: Alessandro Vesely <>
Message-ID: <>
Date: Wed, 27 Jan 2021 13:33:51 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [dmarc-ietf] Which DKIM(s) should be reported? (Ticket #38)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 27 Jan 2021 12:33:57 -0000

On Wed 27/Jan/2021 12:31:51 +0100 Douglas Foster wrote:
> Is this already a settled issue?

There doesn't seem to be a consensus, yet.

I repeat what I already proposed:

*  max number of DKIM signatures: 1024 (say)
*  min number of DKIM signatures: 0
*  can report unverified signatures (<result>none</result>)
*  order signatures by descreasing importance (reporter POV)

Would the WG post some +/-1s, please?

> - Another approach, based on E.F.Codd's data normalization rules for relational 
> databases, is to have a table of messages which is keyed on a message ID, and a 
> table of signatures, which is keyed on message ID and sequence number.   Then 
> an outer join can be used to append the list element with sequence number # to 
> the message record.   A separate outer join is required for each sequence 
> number being appended, so the implementation must choose a maximum number of 
> list elements to append.   One recent poster said that he was using this 
> approach.    Outer joins are generally inefficient, and this approach might 
> work for up to 4 list elements, but it will not work acceptable for a list with 
> 100 elements.

Could fill the whole list using transitive closure.  MariaDB implements 
Recursive Common Table Expressions, which can be used for that purpose. 
Although that feature was implemented in 2016, it landed on the distribution I 
use quite recently.  I haven't yet looked at it.

> For report sources with a fixed limit, it seems appropriate to have a metadata 
> element where the report provider states the maximum number of signatures that 
> might be reported by his system.   An indicator would be needed to indicate 
> "many, with no pre-determined limit"

It is probably more useful to report the total number of signatures found.  The 
fixed limit of a given implementation can be deduced after it is hit.

OTOH, a reference to the software version that generated the report would be 
useful in general, and may lead to the documented fixed number in particular.