>> the spec does not define *which* DKIM signature should be reported in >> the DMARC RUA created by a receiver. >> [... skip proposed order ...] > > This seems overcomplex. How about saying the reports SHOULD include > all valid DKIM reports. If they can't, they can't, and I don't see > any benefit in offering advice on how not to comply.
In my implementation, I have two points where I don't comply: *Maximum signatures in a message* That is to avoid silly attacks (but consider the recent SKS attack). It is about 1000, IIRC. The rest is not verified. *Maximum signatures reported in rua* This is much lower, currently 4. It's there because transitive closure is not yet available on a number of SQL products. In particular, MariaDB needs 10.2.2[*], which is not yet in Debian stable. The workaround is to left joint a (finite) number of times the table with itself[†]. How about this: In the presence of multiple signatures, aggregate reports SHOULD mention at most 1000 and at least 4 signatures (if available), in order of decreasing importance. ? Best Ale -- [*] https://mariadb.com/kb/en/library/recursive-common-table-expressions-overview/ [†] search db_sql_dmarc_agg_record in: https://www.tana.it/svn/zdkimfilter/tags/v1.6/odbx_example.conf _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc