Re: [dmarc-ietf] DMARC result for DKIM testing and policy
Scott Kitterman <sklist@kitterman.com> Thu, 21 March 2024 14:59 UTC
Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1C08C1519B7 for <dmarc@ietfa.amsl.com>; Thu, 21 Mar 2024 07:59:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b="jMNFqxkE"; dkim=pass (2048-bit key) header.d=kitterman.com header.b="VH0kGJY9"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w7k3JATxE5fu for <dmarc@ietfa.amsl.com>; Thu, 21 Mar 2024 07:59:02 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB018C1D61F2 for <dmarc@ietf.org>; Thu, 21 Mar 2024 07:58:45 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id 41E3BF8024C; Thu, 21 Mar 2024 10:58:35 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1711033099; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=zrS3cDHobEWwU64i5+Mb9+Bo/VXnIfK26h7POLHdzYk=; b=jMNFqxkEg1tGi0BMMHV37TF94M2800odV9AtTus4ALlXngvWpN+o8T8IeHd7Nj+oHJdp9 AaIHEJ526V1ig5CCQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1711033099; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=zrS3cDHobEWwU64i5+Mb9+Bo/VXnIfK26h7POLHdzYk=; b=VH0kGJY99IBooAHKElAZio5BN2jASXbgIFFmdnHOcoolf6LmpIXqU8z8qGW6auN1S82wP Im0MSmIGlrQXfmP0+5EFCckWVD9uhSn1KrYwjdP7SZt8ej2OlD5LPqt/dXjewjWwcEhX5S9 7siAQpkV0SRa+80A74CxfWfHc8v4nDhFu+2hjfFp0mJB+FeJufe9LbLQJpa8qMWz7++7gHy yfVBNA3oMz2DZqlEidZuFlHdASVD7tCBo6ryPaX9GeCT85UZ6Yag/eL4q4UFg7nerHf5Nqt mlNvlfS/zG6sLi0dodnZvz1N38b9EN7tVTDa8Fwor3bTvVHraSBDOVsOyZFA==
Received: from [127.0.0.1] (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTPSA id 8CC38F801DB; Thu, 21 Mar 2024 10:58:19 -0400 (EDT)
Date: Thu, 21 Mar 2024 14:58:17 +0000
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
In-Reply-To: <CAHej_8m6MFQ9m5U+=iHeL9MiXno3LF80=rsbKv0c99_24yo2Qw@mail.gmail.com>
References: <27cf610e-8666-410c-b015-6c33478af9b4@tana.it> <d959df28-efae-41df-a760-95adf48f5d91@wander.science> <8acac3b8-4529-4c21-b7a4-462564199db4@tana.it> <CAHej_8m6MFQ9m5U+=iHeL9MiXno3LF80=rsbKv0c99_24yo2Qw@mail.gmail.com>
Message-ID: <8376D937-E7A9-4C0D-86F9-DB4FD2C117E6@kitterman.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/XKDHyuprXjeXZbAetFylJ62qJ5o>
Subject: Re: [dmarc-ietf] DMARC result for DKIM testing and policy
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2024 14:59:07 -0000
On March 21, 2024 2:15:00 PM UTC, Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org> wrote: >On Thu, Mar 21, 2024 at 5:55 AM Alessandro Vesely <vesely@tana.it> wrote: > >> On Wed 20/Mar/2024 23:11:20 +0100 Matthäus Wander wrote: >> > Alessandro Vesely wrote on 2024-03-20 15:42: >> >> what is the result of DMARC on having, say >> >> >> >> dkim=pass (testing key) >> >> or >> >> dkim=policy (512 byte key) >> >> >> >> is that akin to SPF neutral, i.e. dmarc=fail? >> > >> > dkim=pass results in dmarc=pass (if the domain is aligned). The comment >> in >> > brackets is for human eyes and does not change the DMARC result. >> >> >> For t=y, DKIM says: >> >> y This domain is testing DKIM. Verifiers MUST NOT treat messages >> from Signers in testing mode differently from unsigned email, >> even should the signature fail to verify. Verifiers MAY wish >> to track testing mode results to assist the Signer. >> >> So reporting dkim=pass for testing keys seems to be a violation. >> >> >> > dkim=policy is like spf=neutral, i.e. dmarc=fail. >> >> >> Agreed. Should that be mentioned in DMARCbis? >> >> >I don't believe there's any need to discuss this topic in DMARCbis. > >DMARCbis, in section 4.1, DMARC Basics, says: > >=============================================================== > >A message satisfies the DMARC checks if at least one of the supported >authentication mechanisms:¶ <#section-4.1-3> > > 1. > > produces a "pass" result, and <#section-4.1-4.1.1> > 2. > > produces that result based on an identifier that is in alignment, as > described in Section 4.4 <#identifier-alignment-explained>. > >=============================================================== > >If there's anything to say about reporting a DKIM pass result for DKIM >signatures where t=y exists and its possible ramifications for DMARC, then >I believe that's something for an update RFC 6376 to address. > Except that we added a DMARC testing flag in DMARCbis, right? It seems to me that it's reasonable to consider a test DKIM signature a pass for DMARC when the DMARC record says it's for testing, which would result in some sort of test pass result from DMARC. That would, however, be a mess for a variety of reasons. I think it would be reasonable to document on our document that this isn't how it works. DKIM provides an output of a signing domain and verified/not verified. DMARC requires a verified signature for an aligned domain to generate a pass result. As you suggest, I think the DKIM test flag is only a consideration for the DKIM verifier. Nothing to do with DMARC, so let's say that. Scott K
- [dmarc-ietf] DMARC result for DKIM testing and po… Alessandro Vesely
- Re: [dmarc-ietf] DMARC result for DKIM testing an… Matthäus Wander
- Re: [dmarc-ietf] DMARC result for DKIM testing an… Alessandro Vesely
- Re: [dmarc-ietf] DMARC result for DKIM testing an… Todd Herr
- Re: [dmarc-ietf] DMARC result for DKIM testing an… Todd Herr
- Re: [dmarc-ietf] DMARC result for DKIM testing an… Scott Kitterman
- Re: [dmarc-ietf] DMARC result for DKIM testing an… Murray S. Kucherawy
- Re: [dmarc-ietf] no DMARC result for DKIM testing… Scott Kitterman
- Re: [dmarc-ietf] DMARC result for DKIM testing an… Scott Kitterman
- Re: [dmarc-ietf] DMARC result for DKIM testing an… John Levine
- Re: [dmarc-ietf] DMARC result for DKIM testing an… Mark Alley
- Re: [dmarc-ietf] no DMARC result for DKIM testing… John Levine
- Re: [dmarc-ietf] no DMARC result for DKIM testing… Benny Pedersen
- Re: [dmarc-ietf] of course no DMARC result for DK… John R. Levine
- Re: [dmarc-ietf] no DMARC result for DKIM testing… Benny Pedersen
- Re: [dmarc-ietf] of course no DMARC result for DK… Alessandro Vesely
- Re: [dmarc-ietf] no DMARC result for DKIM testing… John R. Levine