DMARC: A solution using ATPS RFC6541 extension

Hector Santos <> Fri, 16 May 2014 20:24 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 21CFA1A0198 for <>; Fri, 16 May 2014 13:24:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -96.692
X-Spam-Status: No, score=-96.692 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, J_CHICKENPOX_14=0.6, J_CHICKENPOX_16=0.6, J_CHICKENPOX_41=0.6, J_CHICKENPOX_54=0.6, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, USER_IN_WHITELIST=-100] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JZfO2hAFm0Kp for <>; Fri, 16 May 2014 13:24:54 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 2424B1A017F for <>; Fri, 16 May 2014 13:24:43 -0700 (PDT)
DKIM-Signature: v=1;; s=tms1; a=rsa-sha1; c=simple/relaxed; l=752389; t=1400271873; h=Received:Received: Received:Received:Message-ID:Date:From:Organization:To:Subject: List-ID; bh=IG+XQuMXDJLiGEeOukWesqOxUvU=; b=HrnlryUsyvDkX8hL2Vx1 ekrxZHdpYgR6kqX4KuDXetwv2taQuBK3a+jE//eOB24oyfhs7P/I9px42tn1Zpe1 5Ie0ldx7mrs6dxmHWoFQPrL6ZhoEZLHRQPz1ilIxiUYajSIQLMHii4Z/1B+NLOMj /qZm4PhMrckfFhFegRiWV5w=
Received: by (Wildcat! SMTP Router v7.0.454.4) for; Fri, 16 May 2014 16:24:33 -0400
Authentication-Results:; dkim=pass header.s=tms1; adsp=pass policy=all;
Received: from ( []) by (Wildcat! SMTP v7.0.454.4) with ESMTP id 3380418347.18691.1872; Fri, 16 May 2014 16:24:31 -0400
DKIM-Signature: v=1;; s=tms1; a=rsa-sha256; c=simple/relaxed; l=752389; t=1400271749; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=aNW8D+d LM8a6r4ZRf3H0/tkucrdS7vD9CVXqwnCSh0w=; b=OJGcAmL0eWOreMtHyKVkTd0 QvwuoSzQ4pUWqVJdT3fBCkVWvKrTiNbF5LmD+tZp8UcNFtn8DRX32UZnWc7yb7LQ Vcy4rSiKW2+XGoQH4XwU067STigURZYTX7/XMJrsUIewSHJ1mMNuiwHCU/ldVKnw GIjKUooH6u2pJUs655Wg=
Received: by (Wildcat! SMTP Router v7.0.454.4) for; Fri, 16 May 2014 16:22:29 -0400
Received: from [] ([]) by (Wildcat! SMTP v7.0.454.4) with ESMTP id 3399919078.9.20800; Fri, 16 May 2014 16:22:22 -0400
Message-ID: <>
Date: Fri, 16 May 2014 16:24:27 -0400
From: Hector Santos <>
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Alessandro Vesely <>,
Subject: DMARC: A solution using ATPS RFC6541 extension
References: <> <> <> <>
In-Reply-To: <>
Content-Type: multipart/mixed; boundary="------------060709010200010302030505"
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 16 May 2014 20:24:57 -0000


There is still a status quo between the two different camps; one that 
believes in a policy framework and one that doesn't. It really has 
nothing to do with technical issues because they all has been already 
worked out. But rather an unwillingness to even acknowledge policy 

That approach has not worked and it was predictable because it was 
always a fallacy to believe that strict policies were limited to 
certain use cases and certain domains. It provided a flawed rationale 
and basis to allow DKIM resigning by ignoring policy with the 
acceptability of a limited damage.

The DKIM RFC6376 preferred method of looking up the signer domain has 
simply failed to materialize in the market place.  And even if it did, 
it would still not address the filtering of the obvious protocol 
expected faults resulting from legacy mail operations and adapting 
spoofers.  In other words, via policy, if you raise the "expectation bar":

    Does this domain send any mail?
    Does this domain always sign its own mail?
    Does it allow others to sign freely?
    Does it allow authorized resigners?

The first two could be ignorant spammers who don't have a clue about 
new 5321/5322 methods. Its getting by with a legacy SMTP mode of 
operation.   The last two helps to deal with those spammers that may 
adapt and try to "fake" out the receivers with unchecked DKIM signatures.

These and other similar questions are real DKIM situations the signer 
domain trust model can not answer.  You can only get this info from 
the author.  Even if the signer domain was used, it would need to 
still reflect the author domains intent and authorization for resigning.

None is this is new. Many documents were produced. But we didn't have 
the full IETF DKIM project leaders support and endorsement to finish 
up ADSP.  Levine refused to fix/update ADSP despite all the interest 
to do so.  It was an unfortunate mistake for the DKIM WG chairs and 
Ads to allow this lack of ADSP engineering leadership situation to 
occur.  The chairs and ADs were clearly aware there was a concern and 
also the threat of appeal.

Anyway, the available solution is still very simple. Given all the 
work already explored, DMARC needs an ATPS extension.  ATPS piggy back 
off the ADSP record.  We can just update ATPS to piggy back of the 
DMARC record.  I already started this using my DMARC record:

_dmarc TXT ("v=DMARC1; p=reject; atps=y;;" )

The atps=y tag tells the compliant DMARC+ATPS receiver to do an 
authorized third party signature check against the DKIM-Signature "d=" 
signer domain.  I have an _atps record for

pq6xadozsi47rluiq5yohg2hy3mvjyoo._atps TXT	( "v=atps01;;" )

So in theory, when breaks and resigns my list 
submissions, any download DMARC+ATPS receivers can see that 
authorizes to resign list mail from  I already 
began to modify our WCADSP Wizard web site for DMARC:

It is pretty much done with the backend scripts updated to create 
DMARC records. I am just playing/cleaning the FORM UI, single sourcing 
it for mobile/tablet UI.

Of course, it all means nothing without further support for ATPS.  It 
provides an OUT for YAHOO and AOL to get a resigner whitelist using 
ATPS records.  If they can support this simple extension to DMARC, 
then we would be headed in the right direction for all parties.  Even 
if the certain LIST operators continues to refuse to support policy, 
at the very least, the download receivers would be able to handle it 
better by checking for the list signer domain authorization.

Without the support, you can see the attached dmarc-gmail-warning.png 
image where the GMAIL mail reader (via my iPAD) shows a warning for 
the unauthorized 3rd party signature DMARC failure.  A simple ATPS TXT 
lookup for:


would of addressed this problem.


On 5/16/2014 9:48 AM, Alessandro Vesely wrote:
> On Thu 15/May/2014 17:13:05 +0200 Dave Crocker wrote:

>>    2.  There is nothing that requires mailing lists to make adjustment.
>> Arguably, it is better for mailing lists NOT to make adjustments, so
>> that those affected users can consider the efficacy of their current
>> account.
> I'm disappointed.  I know p=reject, like dkim=discardable before it,
> was meant to be used by domains that "don't have individual human
> users".  I cannot help comparing it to SPF's -all.  In fact, DMARC's
> overview[1] suggests that the monitoring step be followed by policy
> adjustment.  Looking at DMARC reports, one can guess whether an
> authentication failure originates from abuse or from a possibly
> forwarded mailing list post.  Setting a strict policy would kill both.
>   OTOH DMARC is perfectly useless with p=none.
> What does it take to set up a "human" domain, then?  It's way harder
> than a web site.  Several organizations give up working out their own
> way to configuring a mail server.  Google do an excellent job at
> filtering.  Besides marking as spam and email authentication, they
> deploy literally hundreds of signals, whose relative importance is
> dynamic and determined on complex algorithms[2], which are definitely
> beyond the reach of an average company with a smallish IT dept.
> Now, being forced to outsource email has obvious privacy issues.  I
> want to ask whether the onset of giant, all-monitoring, central email
> plants is part of "the basic design assumptions of Internet email".
> If not, we ought to consider putting the restoring of a well-defined,
> simple email functionality among the Internet 2020 goals.  Can DMARC
> generalization be regarded as a spontaneous move in that direction?
> It requires adjustments in mailing lists and other niches such as WSJ
> send-an-article and gmail sending.  But what are the alternatives?
> Ale
> [1] How Senders Deploy DMARC in 5-Easy Steps, bottom section in
> [2] summary of a talk with Sri Somanchi on Gmail's Anti-Spam Team