> On 24 Mar 2025, at 14:26, Todd Herr <[email protected]> > wrote: > > On Sun, Mar 23, 2025 at 2:24 PM Al Iverson > <[email protected] > <mailto:[email protected]>> wrote: >> On Fri, Mar 21, 2025 at 9:41 AM Todd Herr >> <[email protected] >> <mailto:[email protected]>> wrote: >> >> > Here is what I currently understand to be true: >> > >> > DMARC provides the ability for a Domain Owner to request handling for >> > messages that fail email validation (SPF and DKIM) and to receive reports >> > about use of its domain >> > DKIM2, as currently described, allows and even encourages receivers to >> > reject messages that fail DKIM2 validation >> >> DMARC also provides the ability for reporting on messages spoofing the >> domain owner's domain without aligned authentication, no? >> Does DKIM2 allow for that somehow? > > Wrapped up in my "DMARC provides the ability for a Domain Owner ... to > receive reports about use of its domain" is the reporting about messages > spoofing the domain.
One of the current problems / failures with DMARC is that there is no reporting to the domain owner if the d= domain doesn’t align with the Header From: address. So, folks are having problems with their domains being used in the DKIM signature but they don’t know (and they can’t tell) because it’s not their domain behind DMARC. >> > Moreover it removes the need for any kind of reporting, as a Domain Owner >> > will know from the rejections which messages that it authorized failed to >> > authenticate and presumably why, and the Domain Owner will never see the >> > rejections of unauthorized messages that did not originate at the behest >> > of the Domain Owner, with the latter class of rejections being ones that >> > the Domain Owner wouldn't find actionable, anyway. >> >> I think the assumption here that I don't agree with is that reporting >> about the forged mail has to be specifically "actionable" to be >> useful. > > You lose me here, because I don't see the point of reporting unless it's > somehow actionable. To my mind, a report that X is using my domain does me no > good unless there's enough in the report for me to attempt to take action to > stop X from using my domain. The same argument could be said for DMARC, yes? >> > So, assuming a future world where a DKIM2 specification includes the text >> > "Mail Receivers SHOULD reject any message that fails DKIM2 validation" or >> > similar, and DKIM2 is widely adopted by mailbox providers and MTA >> > vendors, I have some questions about that world: >> > >> > Why would a Mail Receiver accept a message that fails DKIM2 validation? >> >> Why does a domain owner or mail platform accept a message that fails >> DMARC today? > > Local policy, I assume. However, the DKIM2 model currently being discussed is > one where a DKIM2 failure means that rejecting the message is likely to be > the most (and perhaps only) prudent decision for the validator. > > That rejection, according to the current model being discussed, should then > wend its way back through all hops that handled the message and eventually to > the originator. > > If the originator is the Domain Owner, then the Domain Owner is aware of an > authentication shortcoming to be addressed. If the originator is not the > Domain Owner, the unauthorized use of the domain has been prevented by the > rejection. I don’t understand the problem? >> > Why would a Domain Owner publish a DMARC policy record when it's sending >> > mail that is DKIM2-signed? >> >> To gain insight into unauthenticated mail attempts being initiated by >> third parties. > > To what end, though? What good is "insight" without any way to fix the > problem or stop the abuse? You at least know the abuse is happening - which you don’t currently. > >> > What would anyone hope to gain by issuing or consuming DMARC reports >> > showing messages that failed DKIM2 validation but were accepted in spite >> > of such failure? >> >> Use case: showing reporting on messages that failed but were accepted >> in spite of failure can help to measure the amount of mail one is >> allowing to bypass authentication checks and can be useful to >> calculate the ongoing risk of doing so, and to identify potential >> shadow IT infrastructure that needs to be upgraded or replaced. >> >> But DMARC reports don't /only/ show failed-but-accepted messages. If >> this use case is invalidated (is it? I don't quite understand why it >> would be invalidated), others still exist. >> >> TL;DR, DKIM2 w/o DMARC leaves what I think would be reporting gaps >> that I think IT/security people might not want to lose insight into. > > And I claim that the rejections of the messages as per the current DKIM2 > model being discussed render reporting unnecessary. I didn’t see any requirement that reports be generated or consumed. But, there is some need for folks to know when their domains are being used in DKIM signatures for mail not originating from their servers and in a situation where they are not going to get DMARC reports about it. The obvious one here is anyone who double DKIM signs mail sent through their servers by their customers. The sender of the message gets the DMARC report, but the double signer doesn’t get any information about that. But now they will. laura > > -- > Todd Herr > Some Guy in VA LLC > [email protected] <mailto:[email protected]> > 703-220-4153 > Book Time With Me: https://calendar.app.google/tGDuDzbThBdTp3Wx8 > _______________________________________________ > Ietf-dkim mailing list -- [email protected] > To unsubscribe send an email to [email protected] -- The Delivery Expert Laura Atkins Word to the Wise [email protected] Delivery hints and commentary: http://wordtothewise.com/blog
_______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
