On 5/17/2015 2:29 PM, Hector Santos wrote:
Scanning and Reading DMARC reports, I see there are many reports from
an "OpenDMARC Filter" which includes testing for "dkim-adsp" and
"dkim-atps" protocols. An example Auth-Res:
Authentication-Results: ****************.net;
dkim=pass (1024-bit key; unprotected) header.d=ietf.org
[email protected] header.b=ftopcwZG;
dkim=fail reason="signature verification failed" (1024-bit key;
unprotected) header.d=isdg.net
[email protected] header.b=hi8lLzuw;
dkim=fail reason="signature verification failed" (1024-bit key;
unprotected)
header.d=beta.winserver.com [email protected]
header.b=mQTSS3bH;
dkim-adsp=fail (unprotected policy); dkim-atps=neutral
The dkim-atps result is neutral because RFC6541 requires two tags to
be added to the DKIM-Signature in order to trigger the atps call:
'
adps=author-domain; atpsh=sha1;
Anticipating some future need to add "user tags" to the DKIM signing
engine:
# USER DEFINED TAGS:
#
# The UserTags are experimental. They are additonal signed "tag=value;"
# information added to the signed signature. The tag MUST NOT conflict
# with an DKIM standard tag.
I was able to add the above user tags for outbound mail. In theory,
those OpenDMARC Filter engines with DKIM-atps SHOULD find an atps
record for the ietg.org 3rd party list resigner, which we have for our
isdg.net zone file:
pq6xadozsi47rluiq5yohg2hy3mvjyoo._atps TXT ( "v=atps01; d=ietf.org;" )
This is a test message to feed the OpenDmarc Filter Engines.
Got the report results from one and it still shows dkim-atps=neutral.
Authentication-Results: jacobrideout.net;
dkim=pass (1024-bit key; unprotected) header.d=ietf.org
[email protected] header.b=Cy3wnoYE;
dkim=fail reason="signature verification failed" (1024-bit key;
unprotected) header.d=isdg.net [email protected] header.b=SdvOmLRx;
dkim=fail reason="signature verification failed" (1024-bit key;
unprotected) header.d=beta.winserver.com [email protected]
header.b=YWq3W7JC;
dkim-adsp=fail (unprotected policy); dkim-atps=neutral
I can't tell why it would fail, but here's the problem with
ATPS-RFC6541, the version as an DKIM signature tag extension. The
failure of the DKIM-signature d=isdg.net which has the extra "atps="
and "atpsh=" tags causes the verifier to see the signature as invalid
and ignored as if it never existed.
So ATPS will not be activated because the resigner destroyed it.
This is why ATPS-Rev04 which was a ADSP extension works because the
"atps=" tags would be off the policy record instead.
--
HLS
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
