On Thu, Feb 8, 2024 at 2:31 AM Jeroen Massar <jer...@massar.ch> wrote:
> > Uh, no. ~all is a soft fail. > > Together with DMARC p=none as DKIM signature-presence is ignored and thus > any email can pass. > I don't understand. > It is not about 'trusting SPF' it is about indicating that when a DKIM > Signature is missing it should be treated as an error. > > There is currently no way to indicate that. > Why is DMARC the right place to fix that problem? It seems like you want a way to assert this even if the receiver isn't. using DMARC. > > On 6 Feb 2024, at 23:47, Murray S. Kucherawy <superu...@gmail.com> > wrote: > > > > On Tue, Feb 6, 2024 at 2:33 AM Jeroen Massar <jeroen= > 40massar...@dmarc.ietf.org> wrote: > > `req=dkim`: requires DKIM, messages not properly signed are then to be > rejected/quarantined based on 'p' policy. > > > > This sounds like what RFC 5617 tried to do, minus the constraint that > the signing domain be equal to the author domain, which is one of the key > pieces of DMARC. Isn't this a pretty big scope expansion? > > At that time, when DKIM deployment was low (though I have had DKIM since > 2009 at least) and DMARC did not exist/heavy-use... it thus got marked > historic again. It was also another separate TXT entry to check. > That's not how I remember it. The potential side effects of demanding a valid signature on all messages were discouraging enough that ADSP never saw any serious uptake. We documented this in RFC 6377 and proposed some operational solutions, but (as you can see from this list's discussions over the years), it's still a problem today. > > Also, can't an attacker just sign the message with any old throwaway > domain and defeat this test without providing any new useful information to > the verifier? > > An invalid signature would indicate a fail for 'required DKIM'. > But in the situation I described, there is indeed a valid signature. -MSK
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
