>> the spec does not define *which* DKIM signature should be reported in
>> the DMARC RUA created by a receiver.
>> [... skip proposed order ...]
>
> This seems overcomplex. How about saying the reports SHOULD include
> all valid DKIM reports. If they can't, they can't, and I don't see
> any benefit in offering advice on how not to comply.
In my implementation, I have two points where I don't comply:
*Maximum signatures in a message*
That is to avoid silly attacks (but consider the recent SKS attack). It
is about 1000, IIRC. The rest is not verified.
*Maximum signatures reported in rua*
This is much lower, currently 4. It's there because transitive closure
is not yet available on a number of SQL products. In particular,
MariaDB needs 10.2.2[*], which is not yet in Debian stable. The
workaround is to left joint a (finite) number of times the table with
itself[†].
How about this:
In the presence of multiple signatures, aggregate reports SHOULD
mention at most 1000 and at least 4 signatures (if available), in
order of decreasing importance.
?
Best
Ale
--
[*]
https://mariadb.com/kb/en/library/recursive-common-table-expressions-overview/
[†] search db_sql_dmarc_agg_record in:
https://www.tana.it/svn/zdkimfilter/tags/v1.6/odbx_example.conf
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
