If you're doing this analysis, I think it may be helpful to the
community if you share test vector messages. Data variations that
trigger a bug in one implementation might cause issues with other
implementations and thus may be helpful as a public test vector to
improve overall implementation quality.
- Chris
On 15 May 2019, at 10:09, Doug Foster wrote:
I have recently begun evaluating my incoming traffic for DKIM status,
and I
suspect the results are relevant to your question.
These results are based on 768 unique domains, on signed messages,
received
over a few adjacent days. Messages that were blocked for any reason
are
excluded from the analysis. (I am not blocking based on DKIM status).
22 2.9% have DKIM signatures but fail verification 100%
15 2.0% have some DKIM verification failures
7 0.9% have 100% rejection due to DNS record syntax errors
1 0.1% have some rejections due to DNS record syntax errors
10 1.3% have 100% DKIM TXT lookup failures
1 0.1% have some DKIM TXT lookup failures
--- ----
57 7.3% have DKIM problems
This failure rate is much higher than I would have expected.
When DKIM verification failures are detected, several possibilities
must be
considered:
- an error exists in the signature generation algorithm at the source
system
- modification or addition of a signed header during transit
- an error exists in the signature verification algorithm at the
receiving
system
We receive very little indirect mail, so I believe that forwarding is
not a
significant contributor to these problems.
For this type of debugging, it would be helpful if the receiving
system
logged the message exactly as it was used for signature verification.
This
would permit independent verification using a tool such as the message
header checker at MxToolbox.com. For the devices that I manage, this
is
not the case. Some of the devices do not log the full message at
all. The
one that does full logging only logs the message as it is relayed
outbound.
My research also exposed a probable data-related bug on one mail
server,
which causes it to generate incorrect signatures on a small percentage
of
our outbound traffic. I will be working with the vendor on that.
Doug Foster
-----Original Message-----
From: dmarc [mailto:dmarc-boun...@ietf.org] On Behalf Of Dave Crocker
Sent: Wednesday, April 10, 2019 3:37 PM
To: IETF DMARC WG
Subject: [dmarc-ietf] DNS library queries for DKIM and DMARC records?
Folks,
Howdy.
I'm trying to get a bit of education about reality. Always dangerous,
but
I've no choice...
For the software you know about, how are queries to the DNS performed,
to obtain the TXT records associated with DKIM and/or DMARC?
I'm trying to understand the breadth and limitations of returned
information that is filtered or passed by the code that is actually in
use. Which libraries and which calls from those libraries.
Thanks.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_dmarc&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=K_BObr5Kfkr3rxt1oBPF9KFiEU3xl9LcD2OOJG3TXfI&m=grA_44LyxvKqiGTJiOi4rnAkWUvPWq5Awl5rt-CqST0&s=PGbGkqcDa8b82pmdZS8i0mfVHJnKbSANGptAyHzeEtc&e=
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_dmarc&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=K_BObr5Kfkr3rxt1oBPF9KFiEU3xl9LcD2OOJG3TXfI&m=grA_44LyxvKqiGTJiOi4rnAkWUvPWq5Awl5rt-CqST0&s=PGbGkqcDa8b82pmdZS8i0mfVHJnKbSANGptAyHzeEtc&e=
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc