IETF Logo Mail Archive

Re: [dmarc-ietf] Debugging and preventing DKIM failures- suggestion

"Murray S. Kucherawy" <superuser@gmail.com> Thu, 30 May 2019 18:20 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 485C71200FD for <dmarc@ietfa.amsl.com>; Thu, 30 May 2019 11:20:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5O44uQt0FQVS for <dmarc@ietfa.amsl.com>; Thu, 30 May 2019 11:20:55 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA6B8120165 for <dmarc@ietf.org>; Thu, 30 May 2019 11:20:54 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id a9so4375320lff.7 for <dmarc@ietf.org>; Thu, 30 May 2019 11:20:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9LQpS4y+wDZEvTd8UAK0sIK3kCO9g7G/Xz8HYdf2/B4=; b=CLij4dioZu9ryUSOEZT3LZBf8Hw2C6T7ts3zmA8isT1czA/KEu/3TuLp6GeiBOZIh6 KZzns7jY5JWENKf36vnQh7mJAeWF/0VmSm9LkAqblNnfqHyuX+uZLIHiZ9PNC2ocpeii N/0mpy70KC+ayZi2JYK/T8coomfg8PutJg1gZd/qLdRhsR8cUTBuyYBZc72FqCli9h1o e+MGKLv3SwA77cIJzl+kC4cs9h3zrChHr1TkGZYDbrOYN4jIxINOP+0VHZlzgpx3f4HO Z54sfhzXn/Xj0D2bYGKA+Pn3x/QNi6NhgcCOjWVXvKsvtf0zaQTmWoFPglb75imS5dl6 TDzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9LQpS4y+wDZEvTd8UAK0sIK3kCO9g7G/Xz8HYdf2/B4=; b=KWbcnlzM6gk5RBDaarPjb9OeIUkso5juya5kVxjM1czLPH7RyKNFqMXWuPPl8AAVMF s8JF3OfjuudNs548cVAI8bo/GeE87JI+MJ6elAsIIyGROWVmiYdwiOSHEwzeEyng9yi2 y0Lhp0PcMZtNQlyre3SsG19I8otWcNJ9dhYD9hn80MFGj0vC76xyTjKrCBbqi0qCrAq7 R2417EYdjvvHoHUmqRjfyCnjINOnv6rAlxkE9PHcS3UXyBwAGtEYLHi5ErMNhwHzYYQR IHXPX7lxZxRHTETDOIy7KjYfv53DUBZda6QHXJ7VJFdQpFSjbEowPQ/qdOUKd4tpFGJY 1nog==
X-Gm-Message-State: APjAAAXdnFBWIn16J3u6ZU3waWZVWx/Bq8Ll5D6OEr39lS+/tHowpPC0 rlWknTSaFAyFGVaIgfiOKXCGEEgRE3EATKVoNS0=
X-Google-Smtp-Source: APXvYqzByL4JBv+nym62Os7aGv8vomqUqscg/42pt25tK9PhHhB4FLTZkWtkH0hVM6FdFEypRViXlzAwruz2wWQHmrk=
X-Received: by 2002:ac2:46f9:: with SMTP id q25mr3154495lfo.181.1559240452932; Thu, 30 May 2019 11:20:52 -0700 (PDT)
MIME-Version: 1.0
References: <54FB29A0-517A-430E-AF5B-CB079CC3D7F6@aegee.org> <20190526144848.08A772014A0BF4@ary.qy>
In-Reply-To: <20190526144848.08A772014A0BF4@ary.qy>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Thu, 30 May 2019 11:20:41 -0700
Message-ID: <CAL0qLwbxwLTpgYJN9qBTzi2oN1EMvAYuNoDbw5Rx5W46-WNyLA@mail.gmail.com>
To: John Levine <johnl@taugh.com>
Cc: IETF DMARC WG <dmarc@ietf.org>, Дилян Палаузов <Dilyan.Palauzov@aegee.org>
Content-Type: multipart/alternative; boundary="000000000000510903058a1ef54f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/TCZsGDhJn0ndzTDawPpVxUKjEiY>
Subject: Re: [dmarc-ietf] Debugging and preventing DKIM failures- suggestion
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2019 18:20:56 -0000

On Sun, May 26, 2019 at 7:49 AM John Levine <johnl@taugh.com> wrote:

> In article <54FB29A0-517A-430E-AF5B-CB079CC3D7F6@aegee.org> you write:
> >-=-=-=-=-=-
> >
> >Hello Douglas,
> >
> >1) Check the Authentication-Results header. An implementation could put
> there additional information as comment. A
> >downstream MTA will reevaluate the DKIM-Signature anyway, if it does nkt
> trust the previous hop. Common case: aliases
> >to random servers.
>
> That would be my suggestion.  You can put whatever you want into comments
> in the A-R header.
>

At one point in the early DKIM days we were discussing a way to have DKIM
verifiers return enough information to signers to indicate what the
mutation was that invalidated a message.  This was supremely useful in the
early days of DKIM when we were just figuring out how to interoperate; if I
keep a copy of the the canonicalized header and body of something outbound,
and then on receipt you find the signature doesn't validate, then you send
me the canonicalized header and body you saw, and I get to diff them to see
what mutation broke the signature.

We ended up with RFC6651 and the ones to which it references.  OpenDKIM
implements this, but I don't think any other implementation does, so its
use is obviously very limited.

And as John said, there have been numerous proposals over the years of ways
to annotate a message with what "standard" mutations were done so that at
verification time the receiver could decide which mutations it was willing
to forgive, but the community showed no interest in such complexities.

-MSK

v2.23.0 | Report a Bug | By Email