On Fri, Aug 26, 2022 at 10:19 AM John Levine via mailop <mailop@mailop.org> wrote:
> It appears that Laura Atkins via mailop <la...@wordtothewise.com> said: > >-=-=-=-=-=- > >-=-=-=-=-=- > > > >To answer your first question: a lot of mail is double signed. Signing > with 2 identical d= but different s= is unusual, but I > >don’t think it’s prohibited anywhere. > > It's pretty much mandatory if you're trying to migrate from RSA to EC > signatures since you can only have > one key per selector. > > > I also don’t think the RFC addresses anything about mail disposition in > case of failures. > > Sec 6.1: > > Therefore, a Verifier SHOULD NOT treat a message that has one or more > bad signatures and no good signatures differently from a message with > no signature at all. ... > ..., text reading "return status > (explanation)" (where "status" is one of "PERMFAIL" or "TEMPFAIL") > means that the Verifier MUST immediately cease processing that > signature. The Verifier SHOULD proceed to the next signature, if one > is present, and completely ignore the bad signature. > > > It could be that the 2 identical d= one passing and one failing is > causing a spam filter somewhere to act up. > > There are certainly plenty of people who didn't read the spec and > wrongly assume that a failed signature means something is wrong. > I think there can be some subtle differences between "a failed signature means something is wrong" and "a message without authentication has a higher chance of being spam" Ie, a broken DKIM signature can cause a message to be rejected by DMARC. The DKIM signature was ignored, but that's sufficient for a rejection. So, while a broken DKIM signature in our system is just ignored, observers may believe that it does cause a spam label or rejection. That said, there are definitely a relatively small number of places that will reject for failed DKIM, you'll even get that fact as the smtp rejection response... whether that's sufficient for a sender to react to... Brandon
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
