[Ietf-dkim] Fwd: Re: [..] Recommendation for dkim signing

Wed, 06 Mar 2024 14:45:04 -0800 

--- Forwarded from Steffen Nurpmeso <stef...@sdaoden.eu> ---
Date: Wed, 06 Mar 2024 23:43:00 +0100
Author: Steffen Nurpmeso <stef...@sdaoden.eu>
From: Steffen Nurpmeso <stef...@sdaoden.eu>
...
Subject: Re: [..] Recommendation for dkim signing
Message-ID: <20240306224300.AvxERJ7Z@steffen%sdaoden.eu>
...

One. Last. Message. Of mine.

And sorry for all this mostly off-topic noise.

Steffen Nurpmeso wrote in
 <20240306214948.V5gSjSiU@steffen%sdaoden.eu>:
 ...
 |So now that i have DKIM myself i tested.
 |And *no* verification software i can reach actually supports
 |Ed25519-sha256 as of RFC 8463 from September 2018!
 |It is even *worse* than that.
 ...
 |  - Microsoft: fails the DKIM test if a RFC 8463 signature is
 |    present, no matter whether first or last!!!
 |    Is this *really* true?  That is really bad.

      + It even actively fails SHA1 DKIM signatures.
        I know these are deprecated, but if i use a rsa-sha1 and
        a rsa-sha256 signature in that order:

      Authentication-Results: spf=pass (sender IP is 217.144.132.164)
       smtp.mailfrom=sdaoden.eu; dkim=fail (body hash did not verify)
       header.d=sdaoden.eu;dmarc=bestguesspass action=none
       header.from=sdaoden.eu;compauth=pass reason=109

        The *very*same* message/-checkum passes Google:

      Authentication-Results: mx.google.com;
       dkim=pass (test mode) header.i=@sdaoden.eu header.s=lemon 
header.b=meYlPkTE;
       dkim=pass (test mode) header.i=@sdaoden.eu header.s=citron 
header.b=Cehr1W9z;
       spf=pass (google.com: domain of stef...@sdaoden.eu designates 
217.144.132.164 as permitted sender) smtp.mailfrom=stef...@sdaoden.eu

        Looking at that.  Say, the Microsoft
        Authentication-Results: does not denote its own domain
        name, no?  Ie i could not strip it.  I have not read RFC
        8601 for very too long to know, though.
        They do not look at the h=sha1 of the DNS record, do they.
        They do not look at the a= of the DKIM signature.

  ...
 |  - Place a single signature.
 |
 |  - It must be RSA-sha256.

And exactly only that.

 |RFC 6376 surely would have deserved something better.

Good night, greetings, and
Ciao from Germany,
 -- End forward <20240306224300.AvxERJ7Z@steffen%sdaoden.eu>

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim

Reply via email to