On 5/7/2015 4:27 PM, Scott Kitterman wrote:
On May 7, 2015 3:54:55 PM EDT, Hector Santos <hsan...@isdg.net> wrote:
Since 05/2014, I have published DMARC records for several of my
domains. Our mail receivers supports ATPS (rev04) where "atps=y" tag
extension was added to my records. For example, for my non-corporate,
"play around" domain isdg.net, I have:
"v=DMARC1; p=none; atps=y; rua=mailto:dmarc-...@isdg.net;
ruf=mailto:dmarc-...@isdg.net;";
ATPS draft rev04 was written as a ADSP extension. With Rev05 and the
final ATPS rfc6541, ATPS was made an extension off the DKIM record
instead, not ADSP.
What I did was added ATPS support to the DMARC record as an 3rd party
Extension allowed by DMARC.
I am happy to report that after two years, there is no indication for
an interop problem. The unknown tag to non-supported ATPS receivers
does not interfere with the DMARC processing. The reports received
come from a wide number of domains.
I am also happy to report that the concept works very well in
authorizing third party resigners using the ATPS (rev04) protocol.
Here is an actual Auth-Res for a list message ietf.org resigner. I
put a divider line for better viewing:
Authentication-Results: dkim.winserver.com;
----
dkim=pass header.d=ietf.org header.s=ietf1 header.i=ietf.org;
adsp=pass policy=all author.d=isdg.net asl.d=ietf.org;
dmarc=pass policy=none author.d=isdg.net signer.d=ietf.org (atps
signer);
----
dkim=fail (DKIM_BODY_HASH_MISMATCH) header.d=isdg.net header.s=tms1
header.i=isdg.net;
adsp=pass author.d=isdg.net signer.d=isdg.net (originating signer);
dmarc=pass policy=none author.d=isdg.net signer.d=isdg.net
(originating signer);
The first bottom triplet results are for the original signature. It
fails the DKIM signature with a body hash mismatch. Both ADSP and
DMARC pass as original signers (author == signer). In reality, if the
rejection switch was enabled, this should be a FAIL because the
signature is invalid.
However, for the ietf.org list resigner triplet results, it passed as
an ADSP ASL resigner and ATPS record resigner (author != signer).
DKIM/ATPS (rev05) is part our Wildcat! SMTP component in our
commercial Application Hosting package used by customers in the field.
I think it's wrong to describe that as a DMARC result. For DMARC as specified,
that's a fail.
Oh, you mean, there should be a "atps=" auth-result? oK, I can buy
that but then again the AUTH-RES is for internal consumption not
external, having it a single source result to a DMARC result reader,
would be ok.
Nonetheless, the end result is the same, the ATPS would authorized the
resigner. No other DKIM signature related changes need.
--
HLS
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
