[Ietf-dkim] DKIM-Signature: r=y and MLM

Dilyan Palauzov <Dilyan.Palauzov@aegee.org> Sat, 11 August 2018 03:38 UTC

Return-Path: <Dilyan.Palauzov@aegee.org>
X-Original-To: ietf-dkim@ietfa.amsl.com
Delivered-To: ietf-dkim@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 1C63B130EC8 for <ietf-dkim@ietfa.amsl.com>; Fri, 10 Aug 2018 20:38:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (4096-bit key) header.d=aegee.org
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id U60UHiUE77pI for <ietf-dkim@ietfa.amsl.com>; Fri, 10 Aug 2018 20:38:49 -0700 (PDT)
Received: from mail.aegee.org (mail.aegee.org []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5ED0130EC6 for <Ietf-dkim@ietf.org>; Fri, 10 Aug 2018 20:38:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aegee.org; s=k4096; t=1533958720; i=dkim+sm-localhost@aegee.org; r=y; bh=AU99W+rSfk6UJHkI9TZQHnUoaY/y+vI0Wmfihh7f4mQ=; h=Date:From:To:Subject; b=FbQ17aQI1cVDjwkl665nRV+W2k/6UA9OtRKvW8nj8Gde3CISSmbBJ9K4/je4dB8FT WJHWUUbqPJJWxULu+JF63WQWmHmrnTgbyVFp/5QVv/3SUfL1GQvv0g7n2qz/lLaGTa doWyVbuhaoTdXWb9eOnmOU44xQjkaqfb9XvJJEB5yBnd7pubwtYgpi+mQPhuEG6/YE JszeGhUdtmXNTNw1BJEZ+0BGJy3RDzYNT4Ic8cqBxqh9eXYldna9NG48+Oi7SDm/5B vCyWA6UYVR9SCmVKZ5jrb3T+NC46+gnRGxTeGPo4bnw7vqvAXpQlYtC/YkUuxJxR2r XyQGXBtSKsi8tBJtVibk0PB1pIlPi9aZsMLrnjJLBCXSRbk/JQA5IhkYX3sZ1l1+DE mnP0wh9LlKmBiDBQPw54iD8QYb4JhDTvb+5A6LV650nkavCwlUJotTb36nd1QhLQin i4uXKi54hfNyrFcqEz8gBDmC5SiNieAPUUZ6wUW+dL/y4uvTO9CX4W/UEBqYnrM/Id k+cnDSLgOCy12VX4ouLOOJpwC8dAHgxTVuyDMKlJQKAH1SqX+azl/jLzcKBCLh/lNI RhmSr4pk8qYM1K0H+TgIbvLcLEKFnb6Q065HG0F3uOMp83Rp1RhHhs41xF/3G+jkvQ dxnKd6xILVX3s4r+3wxk/bzc=
Authentication-Results: mail.aegee.org/w7B3ceqL003520; dkim=none
Received: from mail.aegee.org (localhost []) by mail.aegee.org (8.15.2/8.15.2) with ESMTP id w7B3ceqL003520 for <Ietf-dkim@ietf.org>; Sat, 11 Aug 2018 03:38:40 GMT
Received: from c-76-102-151-26.hsd1.ca.comcast.net (c-76-102-151-26.hsd1.ca.comcast.net []) by webmail.aegee.org (Horde Framework) with HTTPS; Sat, 11 Aug 2018 03:38:40 +0000
Date: Sat, 11 Aug 2018 03:38:40 +0000
Message-ID: <20180811033840.Horde.i6llD-AtvgzyNIjbhTs-nkS@webmail.aegee.org>
From: Dilyan Palauzov <Dilyan.Palauzov@aegee.org>
To: Ietf-dkim@ietf.org
User-Agent: Horde Application Framework 5
Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes
MIME-Version: 1.0
Content-Disposition: inline
X-Virus-Scanned: clamav-milter 0.100.1 at mail.aegee.org
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/3oN5Lz7s2nRobuMzdVgllZQ46mU>
Subject: [Ietf-dkim] DKIM-Signature: r=y and MLM
X-BeenThere: ietf-dkim@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim/>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Aug 2018 03:38:51 -0000


RFC6651 (Extensions to DomainKeys Identified Mail (DKIM) for Failure  
Reporting) adds to DKIM-Signature the couple r=y - when an existing  
DKIM-Signature does not validate, the signing server is notified that  
something went (unintentionally) wrong.

The DKIM aggregate reports show whether a server signs correctly all  
mails or not.  If the aggregate reports show that this is sometimes  
(let's say in 1%) not done correctly, the signer has no way to find  
for which email the signing has not worked and cannot fix the signing  
software, unless a report for the failing mail is sent with r=y.

RFC6377 (DomainKeys Identified Mail (DKIM) and Mailing Lists) suggests  
in section 5.7 to remove the invalidated DKIM-Signagures, if the  
mailing list software has changed the email.

I have not read ARC, but I have the impression that it says to keep  
the invalidated DKIM-Signatures.

When an email with DKIM-Signagure: r=y is sent to a mailing list, the  
email is modified, and a final recipient following r=y sends a report.  
  The problem is that this report is useless and distracting - it does  
not indicate, that the signer-MTA or validator-MTA are implemented in  
wrong way.

I suggest here in to suggest in a more formal manner, that MLMs  
modifying a message are supposed to remove the r=y part of just  
invalidated DKIM-Signature and this logic is also applied for ARC, if  
relevant (I don't know ARC).  Fixing only ARC will not help, as there  
is software that follows DKIM, but has no idea about ARC.

Is such a recommendation a good idea?

How to make the recomentation?  Amendment to RFC6377, amendment to RFC  
6651, something else, that is very short to compose?