Re: [dmarc-ietf] Question regarding RFC 8617

Brandon Long <> Thu, 07 November 2019 23:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C914F12002F for <>; Thu, 7 Nov 2019 15:16:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -17.5
X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hfiSvkCG65O3 for <>; Thu, 7 Nov 2019 15:16:16 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::e43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AC20A1200B1 for <>; Thu, 7 Nov 2019 15:16:16 -0800 (PST)
Received: by with SMTP id a143so2507833vsd.9 for <>; Thu, 07 Nov 2019 15:16:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FoakIaRoMdjfRK7u041DXGzP2KQkaSt4+QtydErJtEc=; b=eD7MPysLIXxpQrZSNwv/qhub4aNj3rMJfS+VJm2lvkb6CMPuMUXGHqxGM2kRNiqbHt q15gYRrx02nCzP0/BN9SnMYszxuULEZZJGBRg5ECh9/Vx6tBq8WQ740m0z0wesktWt+f M0HzaIaFf7n2qlDBPHrNZkHuduJMz473mXmySyqOYBpdkTLlEa+ueuAQxvCq9FE5R33G gF0RrNhiAyGLgMWwQ671kuMzuJ2w1nqTr/MjG4FiMSDjuJ35Pmx2ybJxgr3NN8c13rBf ZNek/2tV3M0v/PVMdZmlzcIRrZA5j67/01i082168AAoEjazPe5kufMCP9JTFdA2VpAX Rb7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FoakIaRoMdjfRK7u041DXGzP2KQkaSt4+QtydErJtEc=; b=r+8nz3oIXE2cSAyWdF+MdcJZ51s+p4MlrML3LhQ0IFKe3T+k3sjNkUBAwv3WvLl8MW cWyJSU+5WUqdqveC3JgE32JUFE/OzMnqRp05ed/X+e3OBoIFRdYMWrRrs7zsVdMPT9Xn 5BHPyI13RHEOdB5xmIvb37vwfUytjKTma1IMT67e5z6BLxc0bBSEX6fzR0ZgwG1RuZ4b vOwvQk91o2Th/Ub2z9leUqcaJB9obHIwuY436IsJyR66inTXjxPhKSKwYcy/4QL9Nt4h NcckHdeKo8mgRkP6ws3MZSFPOH2VLNkG39y28z2SA78AxwS3S2rIlslaj/KA9OUmnXp0 8Eww==
X-Gm-Message-State: APjAAAVxTy4mft8xsy78JJ1knpvVQs1EjUC6BqzpuEd8RQpRWn/aJLMj c4ReREk6yy7kGWCzRcEiZa28vfHeS9gqAPUt0yIZ
X-Google-Smtp-Source: APXvYqx11x6ReP4EOahgajMTJPkDf46R2JOSoYAPju5y+RLzO2c0siL4hBwQfCn+qu0maDXdD/IJq2XdctgYMQwDBzY=
X-Received: by 2002:a67:f74f:: with SMTP id w15mr5078176vso.131.1573168574877; Thu, 07 Nov 2019 15:16:14 -0800 (PST)
MIME-Version: 1.0
References: <> <> <> <>
In-Reply-To: <>
From: Brandon Long <>
Date: Thu, 7 Nov 2019 15:16:02 -0800
Message-ID: <>
To: Dave Crocker <>
Cc: Brandon Long <>, "Kurt Andersen (b)" <>, "" <>, "Weist, Bill" <>
Content-Type: multipart/alternative; boundary="0000000000001477a60596c9da39"
Archived-At: <>
Subject: Re: [dmarc-ietf] Question regarding RFC 8617
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 07 Nov 2019 23:16:19 -0000

On Thu, Nov 7, 2019 at 9:28 AM Dave Crocker <> wrote:

> On 11/6/2019 9:43 AM, Brandon Long wrote:
> > What's more, the point of including Subject and other mutable headers is
> > the same as it is for DKIM, those are the headers which are important to
> > the receiver, so they should be validated.
> This being a technical list, I'm going to get picky and note that DKIM
> does not 'validate' those fields.
> There is a derivative data integrity benefit, between signing and
> validated, for such fields, but that is quite different from any claim
> that the contents of those fields are 'valid'.
> Some signing sites have much more stringent uses of DKIM than are
> provided by the standard.  That's fine, of course, but it has nothing to
> do with the standard.  Hence any receive-side reliance on such signer
> data validation is outside the DKIM standard.

I should have said "covered by the signature".

And I think they are important to both the sender and receiver, your DKIM
RFC calls them "core to the message content" and so the "core of the
message is valid"... which is different than validated, of course.

For ARC, this still holds true, that AMS is analogous DKIM, and should cover
 the core of the message, and ARC allows for you to know if and between
which hops
the core of the message was modified.