IETF Logo Mail Archive

Re: [dmarc-ietf] Why does DKIM fail when SPF succeeds (was: DMARC2 & SPF Dependency Removal)

Matthäus Wander <mail@wander.science> Sun, 23 July 2023 22:51 UTC

Return-Path: <mail@wander.science>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01993C15108C for <dmarc@ietfa.amsl.com>; Sun, 23 Jul 2023 15:51:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wander.science header.b="Pb15Qh+E"; dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=wander.science header.b="TFVezMtN"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jG1691JK-wsa for <dmarc@ietfa.amsl.com>; Sun, 23 Jul 2023 15:51:18 -0700 (PDT)
Received: from mail.swznet.de (cathay.swznet.de [IPv6:2a01:4f8:13b:2048::113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E1B5C151075 for <dmarc@ietf.org>; Sun, 23 Jul 2023 15:51:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=wander.science; s=2023-05-rsa; h=Subject:Content-Transfer-Encoding: Content-Type:In-Reply-To:From:References:To:MIME-Version:Date:Message-ID:Cc: Sender:Reply-To; bh=PwxXS2rTPXJvZfFoHIHR7vparT4YQcXcB6pDJkN1ylU=; b=Pb15Qh+Ed n2argrjSDHn360Qb5tM1574tp8hpIykZ0cVy011bTzpIkOa3+9l8RCs/Z2ArMIYfY15/2p9h0/G+c cE2mNI52ZcbbTC9qnpA48KB1J3FTFvbrUvbIyzqnL38Q5jdB2Hb1o3LklBXA6m/qKF+We7S0cQSiY 8+ru0TOlrtpADONu/XojPOQQMKKp7x2B0sa3Zy1LTGAO03jzjcmzpWypmKJFRh/SrYSJ1HgFRW0g3 fCJ1cDzEeieW60NeEPbp8MJMU7OxQAUZLZBjFXeLlHCDZYkDuOD0bJ6NhcQD5Nq+teym1uxTiv9pJ c627+u17C7DKsx44WyfGxlNXg==;
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=wander.science; s=2023-05-ed25519; h=Subject:Content-Transfer-Encoding: Content-Type:In-Reply-To:From:References:To:MIME-Version:Date:Message-ID:Cc: Sender:Reply-To; bh=PwxXS2rTPXJvZfFoHIHR7vparT4YQcXcB6pDJkN1ylU=; b=TFVezMtN8 Z5OzJ4pWPjLohXmtl6eWOp25Iz6sEkYRz9jMkdO4V+McIgX4yWAcpyNDCqd2RQKaiS+MsW2uxLfDA ==;
Received: from dynamic-2a01-0c22-c007-3300-111c-b3cc-21c5-8c3f.c22.pool.telefonica.de ([2a01:c22:c007:3300:111c:b3cc:21c5:8c3f]) by mail.swznet.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <mail@wander.science>) id 1qNhv1-003HA6-Ot for dmarc@ietf.org; Mon, 24 Jul 2023 00:51:16 +0200
Message-ID: <f8f465a8-b708-8bdc-b42b-c396d69569c5@wander.science>
Date: Mon, 24 Jul 2023 00:51:13 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0
Content-Language: en-US
To: dmarc@ietf.org
References: <30BB83B2-B454-41B8-992B-8E2569802D9C@1und1.de> <D225D7FC-C570-4B63-A694-9F16DB1F33E1@kitterman.com> <CALaySJKwuOK-81dW2H9dtURxa5mLQDUNo+MWcs+Hho8N+yP9qg@mail.gmail.com> <2817813.dRqVH37e0G@localhost> <CALaySJJbPFBAV_7mZaARYWuMzuX+74r2Cm0jD+z92_iuFRn_MQ@mail.gmail.com> <dd0661c0-e476-62b4-fe7a-8ec4d1a62818@wander.science> <CAL0qLwYh1fTY9b5rWz+p8=+zO3YNivFUZs3o3bvNvxT1aU3aRQ@mail.gmail.com>
From: Matthäus Wander <mail@wander.science>
In-Reply-To: <CAL0qLwYh1fTY9b5rWz+p8=+zO3YNivFUZs3o3bvNvxT1aU3aRQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-SA-Exim-Connect-IP: 2a01:c22:c007:3300:111c:b3cc:21c5:8c3f
X-SA-Exim-Mail-From: mail@wander.science
X-SA-Exim-Version: 4.2.1 (built Sat, 13 Feb 2021 17:57:42 +0000)
X-SA-Exim-Scanned: Yes (on mail.swznet.de)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/iq8F4XGUVpeDOQfyfEaIWsFjAyw>
Subject: Re: [dmarc-ietf] Why does DKIM fail when SPF succeeds (was: DMARC2 & SPF Dependency Removal)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Jul 2023 22:51:22 -0000

Murray S. Kucherawy wrote on 2023-07-24 00:10:
> On Sun, Jul 23, 2023 at 1:06 PM Matthäus Wander 
> <mail=40wander.science@dmarc.ietf.org 
> <mailto:40wander.science@dmarc.ietf.org>> wrote:
> 
>     b) Messages are generated by an automated system without a Date header
>     and signed by a central MTA. An outgoing mail gateway then adds the
>     missing Date header (Postfix option 'always_add_missing_headers'), thus
>     invalidating the DKIM signature.
> 
> 
> Why is the signer claiming to sign a header field ("Date", in this case) 
> that isn't there?  This seems like a bug.

The signer uses a fixed set of header fields to sign, which usually 
exist or should be oversigned if nonexistent (one size fits most). The 
signer is not tailored towards this specific mail source. But yes, it's 
a bug in the system.

Regards,
Matt

v2.23.0 | Report a Bug | By Email