IETF Logo Mail Archive

Re: [ietf-smtp] DKIM and DMARC, Email explained from first principles

Sam Varshavchik <mrsam@courier-mta.com> Wed, 26 May 2021 02:12 UTC

Return-Path: <mrsam@courier-mta.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2BC93A18E2 for <ietf-smtp@ietfa.amsl.com>; Tue, 25 May 2021 19:12:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.435
X-Spam-Level: *
X-Spam-Status: No, score=1.435 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_PBL=3.335, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1YfBYpS-b3CN for <ietf-smtp@ietfa.amsl.com>; Tue, 25 May 2021 19:12:03 -0700 (PDT)
Received: from mailx.courier-mta.com (mailx.courier-mta.com [68.166.206.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B8733A18E1 for <ietf-smtp@ietf.org>; Tue, 25 May 2021 19:12:02 -0700 (PDT)
Received: from monster.email-scan.com (monster.email-scan.com [::ffff:192.168.0.2]) (TLS: TLSv1.3,256bits,TLS_AES_256_GCM_SHA384) by www.courier-mta.com with UTF8SMTPS id 000000000030000A.0000000060ADAE6B.00008BAF; Tue, 25 May 2021 22:11:54 -0400
Received: from monster.email-scan.com (localhost [127.0.0.1]) (IDENT: uid 1004) by monster.email-scan.com with UTF8SMTP id 0000000000020829.0000000060ADAE6A.00014B4B; Tue, 25 May 2021 22:11:54 -0400
References: <20210525012345.E42AE8A790D@ary.qy> <cone.1621939932.396187.66265.1004@monster.email-scan.com> <14fa34c7-c6a2-2c2c-3de9-f4f8c7327f9e@dcrocker.net> <cone.1621990228.782113.83228.1004@monster.email-scan.com> <5b98b0a0-3545-5370-c8d2-51533b0445f5@dcrocker.net>
Message-ID: <cone.1621995114.332887.83228.1004@monster.email-scan.com>
X-Mailer: http://www.courier-mta.org/cone/
From: Sam Varshavchik <mrsam@courier-mta.com>
To: ietf-smtp@ietf.org
Date: Tue, 25 May 2021 22:11:54 -0400
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=_monster.email-scan.com-83228-1621995114-0002"; micalg="pgp-sha1"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/Y3z9VotM-A0VMwKCdmDi0nnIPc4>
Subject: Re: [ietf-smtp] DKIM and DMARC, Email explained from first principles
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 May 2021 02:12:06 -0000

Dave Crocker writes:

> Actually, no, that's not what I said.  Bad actors are always the first to  
> adopt the newest anti-spam technologies, to abuse those unfortunates who  
> interpret DKIM the way you described.
>
> DKIM establishes a clean (noise-free) channel from the signer, which means  
> that any assessment about them really is about them.  If they are bad  
> actors, that is a lot easier to assess, as is if they are good actors.

Ah, but the first paragraph's the rub. That's why I saw DKIM-Signature: as a  
spam indicator: the bad actors' initial take-up of DKIM-Signature: was quite  
noticable.

That was definitely true at one point. Based on today's numbers that I  
looked at the mainstream adoption of DKIM sadly diluted its early value as a  
spam indicator, ironically.


>> But nearly all other spam, the kind that I do have a major problem with, the  
>> specific type that I'm bitching about, nearly all of it carries a DKIM- 
>> Siganture: field. I only found very, very few exceptions to that.
>
> For those assessed as bad actors, was any of their mail mixed in with mail  
> from a different signer who was assessed to be a good actor?

My sample wasn't large enough for that. I have no recollection of seeing  
this; except I have a dim recollection of receiving something non-spam from  
Sendgrid a very, very long time ago, before I wrote them off as damaged  
goods.

Interestingly enough, while researching this response, I found a copy of a  
sendgrid-sourced spam from December 2020, from a previously unknown (to me)  
IP address range (it was spamming an SMS-spam service). It did not have a  
DKIM/DMARC signature of any kind. Nothing from Sendgrid since then until  
today, when Sendgrid attempted to spam one of my Sourceforge mailing lists,  
with a monstrous DKIM-signed spam in Spanish.

So, looks like Sedngrid is
>> Now, to John's point, that DKIM alone is not indicative of reputation, that  
>> it only serves to ascertain identity, and with that out of the way you can  
>> now evaluate the proven identity's reputation. Well, the problem with that  
>> is twofold:
>>
>> 1) There are no known (at least to me) established reputation providers. And  
>> even if there are some that claim to be, history teaches that they don't  
>> really accomplish much.
>
> Gosh, you mean that each evaluator needs to formulate their own criteria,  
> about a complex, fuzzy topic?  Yup!
>
>>
>> 2) So you're left with building and maintaining your own reputation database.
>>
>> That seems like a lot of work to me.
>
> It is.  Sad reality.  Lot of criminals on the streets make safe navigation  
> challenging.  Most people need to outsource their safety efforts.

You can't really have both. Either you "formulate your own criteria", or  
you'll outsource your spam filtering.

v2.23.0 | Report a Bug | By Email