Re: [Assp-test] DKIMCache and DMARC

Tue, 08 Apr 2025 06:09:12 -0700 

This bug will be fixed in the next release.

Thank you for reporting!

Thomas



Von:    "Zrin Žiborski" <zrin+a...@ziborski.net>
An:     "ASSP development mailing list" <assp-test@lists.sourceforge.net>
Datum:  08.04.2025 00:58
Betreff:        [Assp-test] DKIMCache and DMARC







Hello Thomas,
I still find domains in the DKIMCache which do not use DKIM, but do have 
DMARC policy. Subsequently, messages from that domains which do not arrive 
signed get undeserved score.
What has changed within last few months is that many domains got a DMARC 
entry, but do not use DKIM, I guess because a big player decided that any 
domain that sends e-mails shall have one.

The sub DKIMCacheAdd is called in sub DKIMpreCheckOK_Run, sub DMARCok and 
sub DKIMOK_Run.
- Can you please check and make sure that sub DKIMCheckAdd is called only 
for domains for which there is a signature in the e-mail which exactly 
matches the sender (from) domain?
- Can you add debug output so adding a domain to DKIMCache gets logged and 
we can identify which e-mails get a domain added to DKIMCache where it 
should not get added?
In sub DMARCok:
    if (! $this->{DMARC_arc} && $DKIMCacheStrict) {
        DKIMCacheAdd($this->{dmarc}->{domain}) if $this->{dmarc}->{domain} 
&& $this->{dmarc}->{domain} ne $this->{dmarc}->{dom};
        DKIMCacheAdd($this->{dmarc}->{dom}) if $this->{dmarc}->{dom};
        for my $dom (@{$this->{dmarc}->{DKIMdomains}}) {
            DKIMCacheAdd($dom) if $dom && $dom ne $this->{dmarc}->{domain} 
&& $dom ne $this->{dmarc}->{dom};
        }
    }

Do I understand correctly that the domain will get added to DKIMCache if 
the message does not contain ARC and $DKIMCacheStrict is true - no matter 
if the domain actually uses DKIM?
As many domains have DMARC entry in the DNS but do not use DKIM - is this 
the source of the problem?

In sub DKIMpreCheckOK_Run:
DKIMCacheAdd($domain) if $dkimdomain && ($qdtxt ne 'unknown' || 
$DKIMCacheStrict);

- Can you please check that $dkimdomain is true only if the domain really 
uses DKIM keys?

Please let me know if I can help any further.
Thank you very much in advance,
best regards,
Zrin
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test






















					Reply via email to