IETF Logo Mail Archive

Re: [dmarc-ietf] DMARC result for DKIM testing and policy

Scott Kitterman <sklist@kitterman.com> Thu, 21 March 2024 14:59 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1C08C1519B7 for <dmarc@ietfa.amsl.com>; Thu, 21 Mar 2024 07:59:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b="jMNFqxkE"; dkim=pass (2048-bit key) header.d=kitterman.com header.b="VH0kGJY9"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w7k3JATxE5fu for <dmarc@ietfa.amsl.com>; Thu, 21 Mar 2024 07:59:02 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB018C1D61F2 for <dmarc@ietf.org>; Thu, 21 Mar 2024 07:58:45 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id 41E3BF8024C; Thu, 21 Mar 2024 10:58:35 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1711033099; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=zrS3cDHobEWwU64i5+Mb9+Bo/VXnIfK26h7POLHdzYk=; b=jMNFqxkEg1tGi0BMMHV37TF94M2800odV9AtTus4ALlXngvWpN+o8T8IeHd7Nj+oHJdp9 AaIHEJ526V1ig5CCQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1711033099; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=zrS3cDHobEWwU64i5+Mb9+Bo/VXnIfK26h7POLHdzYk=; b=VH0kGJY99IBooAHKElAZio5BN2jASXbgIFFmdnHOcoolf6LmpIXqU8z8qGW6auN1S82wP Im0MSmIGlrQXfmP0+5EFCckWVD9uhSn1KrYwjdP7SZt8ej2OlD5LPqt/dXjewjWwcEhX5S9 7siAQpkV0SRa+80A74CxfWfHc8v4nDhFu+2hjfFp0mJB+FeJufe9LbLQJpa8qMWz7++7gHy yfVBNA3oMz2DZqlEidZuFlHdASVD7tCBo6ryPaX9GeCT85UZ6Yag/eL4q4UFg7nerHf5Nqt mlNvlfS/zG6sLi0dodnZvz1N38b9EN7tVTDa8Fwor3bTvVHraSBDOVsOyZFA==
Received: from [127.0.0.1] (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTPSA id 8CC38F801DB; Thu, 21 Mar 2024 10:58:19 -0400 (EDT)
Date: Thu, 21 Mar 2024 14:58:17 +0000
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
In-Reply-To: <CAHej_8m6MFQ9m5U+=iHeL9MiXno3LF80=rsbKv0c99_24yo2Qw@mail.gmail.com>
References: <27cf610e-8666-410c-b015-6c33478af9b4@tana.it> <d959df28-efae-41df-a760-95adf48f5d91@wander.science> <8acac3b8-4529-4c21-b7a4-462564199db4@tana.it> <CAHej_8m6MFQ9m5U+=iHeL9MiXno3LF80=rsbKv0c99_24yo2Qw@mail.gmail.com>
Message-ID: <8376D937-E7A9-4C0D-86F9-DB4FD2C117E6@kitterman.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/XKDHyuprXjeXZbAetFylJ62qJ5o>
Subject: Re: [dmarc-ietf] DMARC result for DKIM testing and policy
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2024 14:59:07 -0000


On March 21, 2024 2:15:00 PM UTC, Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org> wrote:
>On Thu, Mar 21, 2024 at 5:55 AM Alessandro Vesely <vesely@tana.it> wrote:
>
>> On Wed 20/Mar/2024 23:11:20 +0100 Matthäus Wander wrote:
>> > Alessandro Vesely wrote on 2024-03-20 15:42:
>> >> what is the result of DMARC on having, say
>> >>
>> >>      dkim=pass (testing key)
>> >> or
>> >>      dkim=policy (512 byte key)
>> >>
>> >> is that akin to SPF neutral, i.e. dmarc=fail?
>> >
>> > dkim=pass results in dmarc=pass (if the domain is aligned). The comment
>> in
>> > brackets is for human eyes and does not change the DMARC result.
>>
>>
>> For t=y, DKIM says:
>>
>>        y  This domain is testing DKIM.  Verifiers MUST NOT treat messages
>>           from Signers in testing mode differently from unsigned email,
>>           even should the signature fail to verify.  Verifiers MAY wish
>>           to track testing mode results to assist the Signer.
>>
>> So reporting dkim=pass for testing keys seems to be a violation.
>>
>>
>> > dkim=policy is like spf=neutral, i.e. dmarc=fail.
>>
>>
>> Agreed.  Should that be mentioned in DMARCbis?
>>
>>
>I don't believe there's any need to discuss this topic in DMARCbis.
>
>DMARCbis, in section 4.1, DMARC Basics, says:
>
>===============================================================
>
>A message satisfies the DMARC checks if at least one of the supported
>authentication mechanisms:¶ <#section-4.1-3>
>
>   1.
>
>   produces a "pass" result, and <#section-4.1-4.1.1>
>   2.
>
>   produces that result based on an identifier that is in alignment, as
>   described in Section 4.4 <#identifier-alignment-explained>.
>
>===============================================================
>
>If there's anything to say about reporting a DKIM pass result for DKIM
>signatures where t=y exists and its possible ramifications for DMARC, then
>I believe that's something for an update RFC 6376 to address.
>

Except that we added a DMARC testing flag in DMARCbis, right?  It seems to me that it's reasonable to consider a test DKIM signature a pass for DMARC when the DMARC record says it's for testing, which would result in some sort of test pass result from DMARC.  That would, however, be a mess for a variety of reasons.

I think it would be reasonable to document on our document that this isn't how it works.  DKIM provides an output of a signing domain and verified/not verified.  DMARC requires a verified signature for an aligned domain to generate a pass result.  As you suggest, I think the DKIM test flag is only a consideration for the DKIM verifier.  Nothing to do with DMARC, so let's say that.

Scott K

v2.23.0 | Report a Bug | By Email