IETF Logo Mail Archive

Re: [dmarc-ietf] ARC vs p=quarantine

Alessandro Vesely <vesely@tana.it> Tue, 22 December 2020 09:38 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 031F73A0EC6 for <dmarc@ietfa.amsl.com>; Tue, 22 Dec 2020 01:38:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c6uLogiOVIDv for <dmarc@ietfa.amsl.com>; Tue, 22 Dec 2020 01:38:07 -0800 (PST)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 854503A0EC4 for <dmarc@ietf.org>; Tue, 22 Dec 2020 01:38:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1608629885; bh=alQurCb5718SRbJActGq85KGIsRSh1PticYzBUSiq8g=; l=1583; h=To:References:From:Date:In-Reply-To; b=BFHVHGr3bwBNRQsFpTED/7k+JxIR1Hv6qm2lwDySlrYS1ijichQnoikm5lq0rxPzg XENz2BC40gs+Oj6gM21yEPI7ohQDw7YPOjqvwVVJPcgG8Kbsgcw6gQctabkO3ZAQh6 6bqFGp7k1mgeK2seHtf4DisQT7zmv5ZHIxrI9ZUqNoGW3Q6rbHRmIae6lkeWQ
Authentication-Results: tana.it; auth=pass (details omitted)
Original-From: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC053.000000005FE1BE7D.00007D5D; Tue, 22 Dec 2020 10:38:05 +0100
To: dmarc@ietf.org
References: <1e61f7c4-c6d2-5dab-dfc7-f1fd740e1d0d@tana.it> <20201219194954.BF87E2ADF1FB@ary.qy> <CAJ4XoYfx=qRyARbcf7m8T6+_2hJKifgAoBXBdfmqGucanrUJfw@mail.gmail.com> <9b7cc1c9-e031-4ef8-8d92-2c16cc4fa073@tana.it> <dd6c5588-8e84-5f90-931-51b4dd4c27cc@taugh.com> <ceaf2e324f8cf042b1b31621c79d5d59@junc.eu> <a8218ce4-cd73-dec4-44a0-b77eb0546a14@mtcc.com> <496c92bc02e75c2d7b02365d9dd0cf38@junc.eu> <8c6c4f7f-4a95-cd2b-306e-83a50dcde385@tana.it> <e45dcf3f5ac2abecd48aae0839a53c91@junc.eu>
From: Alessandro Vesely <vesely@tana.it>
Message-ID: <0c209b30-cb18-c8db-6f2c-9c588c309644@tana.it>
Date: Tue, 22 Dec 2020 10:38:05 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <e45dcf3f5ac2abecd48aae0839a53c91@junc.eu>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/O975FWTJNgARgR8PzSa4ruvNf24>
Subject: Re: [dmarc-ietf] ARC vs p=quarantine
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Dec 2020 09:38:09 -0000

On Tue 22/Dec/2020 03:37:52 +0100 Benny Pedersen wrote:
> On 2020-12-21 18:27, Alessandro Vesely wrote:
>> On Mon 21/Dec/2020 01:52:11 +0100 Benny Pedersen wrote:
> 
>> For the message I'm replying to, I got:
>>
>> Authentication-Results: wmail.tana.it;
>>   spf=pass smtp.mailfrom=ietf.org;
>>   dkim=pass reason="Original-From: transformed" (whitelisted) header.d=junc.eu;
>>   dkim=pass (whitelisted) header.d=ietf.org
>>     header.b=GUNfiCpP;
>>   dkim=fail (signature verification failed, whitelisted) header.d=ietf.org
>>     header.b=IIMQxhd+
>>
>> Two out of three is not bad, is it?  If IETF only did ARC seals, I'd
>> probably verified no signature at all —since I don't run ARC checks.
> 
> metacpan Mail::DKIM gives dkim invalid if just one dkim is invalid, so 
> spamassassin says aswell dkim invalid


I don't think that's a reasonable choice.  A DKIM informative note exemplifies 
this very case:

       INFORMATIVE NOTE: The rationale of this requirement is to permit
       messages that have invalid signatures but also a valid signature
       to work.  For example, a mailing list exploder might opt to leave
       the original submitter signature in place even though the exploder
       knows that it is modifying the message in some way that will break
       that signature, and the exploder inserts its own signature.  In
       this case, the message should succeed even in the presence of the
       known-broken signature.
                          https://tools.ietf.org/html/rfc6376#section-6.1


> what software used above to show this results ?

zdkimfilter


Best
Ale
--

v2.23.0 | Report a Bug | By Email