Re: [dmarc-ietf] DMARC result for DKIM testing and policy
Todd Herr <todd.herr@valimail.com> Thu, 21 March 2024 14:58 UTC
Return-Path: <todd.herr@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A65D6C18DBA1 for <dmarc@ietfa.amsl.com>; Thu, 21 Mar 2024 07:58:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LaMBqjFbUf0Z for <dmarc@ietfa.amsl.com>; Thu, 21 Mar 2024 07:58:37 -0700 (PDT)
Received: from mail-yb1-xb32.google.com (mail-yb1-xb32.google.com [IPv6:2607:f8b0:4864:20::b32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90063C1519B7 for <dmarc@ietf.org>; Thu, 21 Mar 2024 07:58:37 -0700 (PDT)
Received: by mail-yb1-xb32.google.com with SMTP id 3f1490d57ef6-dcd9e34430cso1133227276.1 for <dmarc@ietf.org>; Thu, 21 Mar 2024 07:58:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; t=1711033116; x=1711637916; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=G8J6Z5bBFZrtQByAsDBetkYwTI5cpnLr+XXqIR64SdU=; b=Qk8QKOhYCGGYuUEXBdLMUShdKSmDfdmwEQ1386sobm8vKT3HjZEMp/cFtZ2xfg/IKQ KJBFZMSLmkgiB7KXo/+doAP1Sb/DFfHo0z6cgMjfoSvev2xr7sRu3LGukPlNnTE0jBQ6 6TwqDNJShoB28sh3Cu/iIKAXonMuf2iHIJM1A6WEsVgnEZJv/ExSK46TvgRTSwD5jiWC afeDJu29H6+3OtOY1zufR8oqJZzs4q1lx/Hg84Gqy6rTGErzKdKkRdD4Me9y1ThZv0jf Bmn53MgKNH9ex0h7uyIX15PbYeTxl7sanovX1kp7Z3WfH807l1kikQ0mxhtVb5t0/at2 7K6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711033116; x=1711637916; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=G8J6Z5bBFZrtQByAsDBetkYwTI5cpnLr+XXqIR64SdU=; b=WmhEgmYtcpDFqCn01upYIgeR4zqBbHJ2fW1BXtyL7+Fhg0uIjlg5qdYbOEHwchTv8O 40r3ufZpZoNRclI1113ftdhT/lxaBMVVALCRSxpJdU/s4iW0/lDhtLuwxFcVJrPMA7XZ t0DU/G8Itg+AEhWehIF2+2MoaWKmOxI+pyEbCTQ7ZL40z6XO2nKI3HvN6+4f1Ujc0yPT IRi1Oi8eYcq4Lfi7bFlx1lBtgNG4MRvoa5WoKevyUi49GQERxyGlHm86NwH0i5iWApif kfVdODtmT5s56CIV+YTNHjmntDpIbe7ByqDXAqHMcjDFf307TaLLaJdWpwYJj45yUHdP A2Wg==
X-Gm-Message-State: AOJu0Yz4opClet56zkGpU0fAEChb/L3tqSxBykO8o4JMqsZUtsbzvlDu G6pvRZTMYJstFbCVDcbcg7dU8Wezd6cxY2mMmng4dCFhvqlzBO5cgwgwWUknru33HmlJXCb09PE deAR6Ot8DQYHirdnFMUTC2IVlgOZTW/41pF+l7fy4uUVj6EeevtU=
X-Google-Smtp-Source: AGHT+IEdKtrw3rVpWJoOTqUowcs7erURQzhWTCChYFWf/jnrzksWsFz3LMBgpDegsr9znNAlhitFWBjHX0nBd1g5H7I=
X-Received: by 2002:a25:86cd:0:b0:dcf:f9bd:fe05 with SMTP id y13-20020a2586cd000000b00dcff9bdfe05mr18175950ybm.48.1711033116136; Thu, 21 Mar 2024 07:58:36 -0700 (PDT)
MIME-Version: 1.0
References: <27cf610e-8666-410c-b015-6c33478af9b4@tana.it> <d959df28-efae-41df-a760-95adf48f5d91@wander.science> <8acac3b8-4529-4c21-b7a4-462564199db4@tana.it> <CAHej_8m6MFQ9m5U+=iHeL9MiXno3LF80=rsbKv0c99_24yo2Qw@mail.gmail.com>
In-Reply-To: <CAHej_8m6MFQ9m5U+=iHeL9MiXno3LF80=rsbKv0c99_24yo2Qw@mail.gmail.com>
From: Todd Herr <todd.herr@valimail.com>
Date: Thu, 21 Mar 2024 10:58:20 -0400
Message-ID: <CAHej_8=No26cdBJKAon=dAiEYqPyESByw=qWGfGrx8nx=gkSRw@mail.gmail.com>
To: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="0000000000001631cd06142cf192"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/PPPPkWNW5StxH6p1aPiVcs-t6T8>
Subject: Re: [dmarc-ietf] DMARC result for DKIM testing and policy
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2024 14:58:41 -0000
On Thu, Mar 21, 2024 at 10:15 AM Todd Herr <todd.herr@valimail.com> wrote: > On Thu, Mar 21, 2024 at 5:55 AM Alessandro Vesely <vesely@tana.it> wrote: > >> On Wed 20/Mar/2024 23:11:20 +0100 Matthäus Wander wrote: >> > Alessandro Vesely wrote on 2024-03-20 15:42: >> >> what is the result of DMARC on having, say >> >> >> >> dkim=pass (testing key) >> >> or >> >> dkim=policy (512 byte key) >> >> >> >> is that akin to SPF neutral, i.e. dmarc=fail? >> > >> > dkim=pass results in dmarc=pass (if the domain is aligned). The comment >> in >> > brackets is for human eyes and does not change the DMARC result. >> >> >> For t=y, DKIM says: >> >> y This domain is testing DKIM. Verifiers MUST NOT treat messages >> from Signers in testing mode differently from unsigned email, >> even should the signature fail to verify. Verifiers MAY wish >> to track testing mode results to assist the Signer. >> >> So reporting dkim=pass for testing keys seems to be a violation. >> >> >> > dkim=policy is like spf=neutral, i.e. dmarc=fail. >> >> >> Agreed. Should that be mentioned in DMARCbis? >> >> > I don't believe there's any need to discuss this topic in DMARCbis. > > DMARCbis, in section 4.1, DMARC Basics, says: > > =============================================================== > > A message satisfies the DMARC checks if at least one of the supported > authentication mechanisms:¶ <#m_-6134626636375030691_section-4.1-3> > > 1. > > produces a "pass" result, and > <#m_-6134626636375030691_section-4.1-4.1.1> > 2. > > produces that result based on an identifier that is in alignment, as > described in Section 4.4 > <#m_-6134626636375030691_identifier-alignment-explained>. > > =============================================================== > > If there's anything to say about reporting a DKIM pass result for DKIM > signatures where t=y exists and its possible ramifications for DMARC, then > I believe that's something for an update RFC 6376 to address. > > And upon further reflection I personally think two more things: 1. It is highly unlikely that a Domain Owner will publish a DMARC policy record with DKIM t=y in place when they can accomplish the same results with a DMARC policy of p=none and get aggregate and perhaps failure reporting to boot. 2. That part of 6376 might be better written as "Should the signature fail to verify, verifiers MUST NOT treat messages from Signers in testing mode differently from unsigned email." as I see no reason to penalize a Domain Owner who successfully DKIM signs messages, even in testing mode. But I could very well be in the weeds here... -- Todd Herr | Technical Director, Standards & Ecosystem Email: todd.herr@valimail.com Phone: 703-220-4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
- [dmarc-ietf] DMARC result for DKIM testing and po… Alessandro Vesely
- Re: [dmarc-ietf] DMARC result for DKIM testing an… Matthäus Wander
- Re: [dmarc-ietf] DMARC result for DKIM testing an… Alessandro Vesely
- Re: [dmarc-ietf] DMARC result for DKIM testing an… Todd Herr
- Re: [dmarc-ietf] DMARC result for DKIM testing an… Todd Herr
- Re: [dmarc-ietf] DMARC result for DKIM testing an… Scott Kitterman
- Re: [dmarc-ietf] DMARC result for DKIM testing an… Murray S. Kucherawy
- Re: [dmarc-ietf] no DMARC result for DKIM testing… Scott Kitterman
- Re: [dmarc-ietf] DMARC result for DKIM testing an… Scott Kitterman
- Re: [dmarc-ietf] DMARC result for DKIM testing an… John Levine
- Re: [dmarc-ietf] DMARC result for DKIM testing an… Mark Alley
- Re: [dmarc-ietf] no DMARC result for DKIM testing… John Levine
- Re: [dmarc-ietf] no DMARC result for DKIM testing… Benny Pedersen
- Re: [dmarc-ietf] of course no DMARC result for DK… John R. Levine
- Re: [dmarc-ietf] no DMARC result for DKIM testing… Benny Pedersen
- Re: [dmarc-ietf] of course no DMARC result for DK… Alessandro Vesely
- Re: [dmarc-ietf] no DMARC result for DKIM testing… John R. Levine