Re: [mailop] DMARC with broken DKIM (was: Re: DMARC p=quarantine pct=0)

2018-04-09 Thread John Levine 
In article

Re: [mailop] DMARC with broken DKIM (was: Re: DMARC p=quarantine pct=0)

2018-04-09 Thread John Levine 
In article  you write:
>Sometimes I'm thinking DMARC should have enforced DKIM, and not allowed
>to have only a match in {SPF, DKIM}, because it leads to issues like
>broken-DKIM working-SPF domains not noticing things are wrong even
>though they *are*…

That was ADSP.  It was even worse than DMARC.

At some point you have to allow believe what people say.  If they're
sending mail with broken signatures and strict DMARC policies, they
are asking people to throw it away.

Remember, p=reject doesn't mean mail is important.  It means mail is
so UNimportant that you should throw it away if there's any question
about its authenticity.

R's,
John

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] DMARC with broken DKIM (was: Re: DMARC p=quarantine pct=0)

2018-04-09 Thread Brandon Long via mailop 
We've also seen various banks and other large companies who seem to
specifically only
use SPF with DMARC, as a way of disallowing forwarding, I guess.

With ARC, you can actually "pass" the SPF pass through the forwarder.

Not that there's anywhere near wide enough acceptance of ARC to make that
your default.

Rewriting or rejecting.  I tend to favor rewriting, but arguments can be
made both ways.  Assuming the
forwarding service is something set up by the receiver, than they almost
certainly would prefer to
get the mail.

As for whether DMARC should have allowed SPF, there were several policy
proposals based
on DKIM directly that failed.  DMARC added three things to those, From
header alignment, reportting
and SPF.  Which of those made it more successful than the previous
attempts, or was it just the parties
involved in creating it, the timing, the need getting big enough... who
knows.

Brandon

On Mon, Apr 9, 2018 at 3:35 PM Leo Gaspard via mailop 
wrote:

> On 04/09/2018 08:45 PM, Jesse Thompson wrote:> Kinda, yes.  Anyone
> running a non-compliant list server should look to
> > how other list servers are making themselves compliant.  Could be...
> > 1) rewrite headers
> > 2) not break DKIM
> > 3) ARC?
> > I don't want to be overly prescriptive (no one in academia likes to be
> > told what to do) but rather to let people know that (a) change is coming
> > and it isn't scary, and (b) here are some possible changes you can make
> Slight topic change: We've seen email sent from email servers using
> DMARC p=reject but with broken DKIM (basically relaying through sendgrid
> but with some error in the DKIM DNS configuration, as far as I can
> remember).
>
> We handle an email forwarder that, usually, doesn't break DKIM, so DMARC
> should be fine. Except when the source mail is DKIM-invalid and the only
> thing that makes all the mail not to be rejected is SPF alignment, which
> we cannot fix on our side.
>
> What is there, as an email forwarder, that we could do to be compliant?
> Currently our only guess is to rewrite headers when the email comes with
> broken DKIM yet valid SPF, but even though it's OK for lists that's
> unexpected from the user's point of view from forwarding services…
>
> Or should we just reject these mails and tell the sender to do the
> things properly? doesn't work well with the end users…
>
> Sometimes I'm thinking DMARC should have enforced DKIM, and not allowed
> to have only a match in {SPF, DKIM}, because it leads to issues like
> broken-DKIM working-SPF domains not noticing things are wrong even
> though they *are*…
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

[mailop] DMARC with broken DKIM (was: Re: DMARC p=quarantine pct=0)

2018-04-09 Thread Leo Gaspard via mailop 
On 04/09/2018 08:45 PM, Jesse Thompson wrote:> Kinda, yes.  Anyone
running a non-compliant list server should look to
> how other list servers are making themselves compliant.  Could be...
> 1) rewrite headers
> 2) not break DKIM
> 3) ARC?
> I don't want to be overly prescriptive (no one in academia likes to be
> told what to do) but rather to let people know that (a) change is coming
> and it isn't scary, and (b) here are some possible changes you can make
Slight topic change: We've seen email sent from email servers using
DMARC p=reject but with broken DKIM (basically relaying through sendgrid
but with some error in the DKIM DNS configuration, as far as I can
remember).

We handle an email forwarder that, usually, doesn't break DKIM, so DMARC
should be fine. Except when the source mail is DKIM-invalid and the only
thing that makes all the mail not to be rejected is SPF alignment, which
we cannot fix on our side.

What is there, as an email forwarder, that we could do to be compliant?
Currently our only guess is to rewrite headers when the email comes with
broken DKIM yet valid SPF, but even though it's OK for lists that's
unexpected from the user's point of view from forwarding services…

Or should we just reject these mails and tell the sender to do the
things properly? doesn't work well with the end users…

Sometimes I'm thinking DMARC should have enforced DKIM, and not allowed
to have only a match in {SPF, DKIM}, because it leads to issues like
broken-DKIM working-SPF domains not noticing things are wrong even
though they *are*…

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop