As most of you already know, the DCRUP working group is adding a new signature
algorithm to DKIM. I have been sending dual rsa-sha256/ed25519-sha256 signed
mail for some time and I have notice an oddity in DMARC reporting.
Typically, I'll see something like this XML snippet:
<auth_results>
<dkim>
<domain>kitterman.com</domain>
<result>pass</result>
<selector>201803r</selector>
</dkim>
<dkim>
<domain>kitterman.com</domain>
<result>fail</result>
<selector>201803e</selector>
</dkim>
The first one is the rsa-sha256 signature and the second, marked fail, is the
ed25519-sha256 signature (I can tell based on the selector). In all cases
I've checked, the correct (DMARC pass) result was obtained, but I don't think
this is the best way to report it.
RFC 6376 says:
> 3.3.4. Other Algorithms
>
> Other algorithms MAY be defined in the future. Verifiers MUST ignore
> any signatures using algorithms that they do not implement.
I'm not sure reporting a failure is consistent with "MUST ignore". In any
case, I think it would be useful to distinguish between DKIM evaluation failed
and not evaluated due to unknown algorithm in DMARC reporting.
Scott K
_______________________________________________
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
