[dmarc-ietf] DMARC ATPS Interop Note

Thu, 07 May 2015 12:55:42 -0700

Since 05/2014, I have published DMARC records for several of my domains. Our mail receivers supports ATPS (rev04) where "atps=y" tag extension was added to my records. For example, for my non-corporate, "play around" domain isdg.net, I have:
"v=DMARC1; p=none; atps=y; rua=mailto:[email protected]; ruf=mailto:[email protected];"; 


ATPS draft rev04 was written as a ADSP extension.  With Rev05 and the 
final ATPS rfc6541, ATPS was made an extension off the DKIM record 
instead, not ADSP.



What I did was added ATPS support to the DMARC record as an 3rd party 
Extension allowed by DMARC.



I am happy to report that after two years, there is no indication for 
an interop problem.  The unknown tag to non-supported ATPS receivers 
does not interfere with the DMARC processing.   The reports received 
come from a wide number of domains.



I am also happy to report that the concept works very well in 
authorizing third party resigners using the ATPS (rev04) protocol. 
Here is an actual Auth-Res for a list message ietf.org resigner.  I 
put a divider line for better viewing:


Authentication-Results: dkim.winserver.com;
 ----
 dkim=pass header.d=ietf.org header.s=ietf1 header.i=ietf.org;
 adsp=pass policy=all author.d=isdg.net asl.d=ietf.org;

 dmarc=pass policy=none author.d=isdg.net signer.d=ietf.org (atps 
signer);

 ----

 dkim=fail (DKIM_BODY_HASH_MISMATCH) header.d=isdg.net header.s=tms1 
header.i=isdg.net;

 adsp=pass author.d=isdg.net signer.d=isdg.net (originating signer);

 dmarc=pass policy=none author.d=isdg.net signer.d=isdg.net 
(originating signer);




The first bottom triplet results are for the original signature. It 
fails the DKIM signature with a body hash mismatch. Both ADSP and 
DMARC pass as original signers (author == signer). In reality, if the 
rejection switch was enabled, this should be a FAIL because the 
signature is invalid.



However, for the ietf.org list resigner triplet results, it passed as 
an ADSP ASL resigner and ATPS record resigner  (author != signer).



DKIM/ATPS (rev05) is part our Wildcat! SMTP component in our 
commercial Application Hosting package used by customers in the field.


--
HLS


_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc






















					Reply via email to