I understand your question to be "Why do I see invalid DKIM signatures on messages from the IETF mailing list?" I can provide your answer
The typical message on this mailing list has three signatures: Signature Analysis: The first signature is from the submitter's organization. In your message, it was from junc.eu. The second signature is applied by IETF shortly after receipt of the message. IETF adds an Athentication-Results header which indicates that the junc.eu signature was valid when they checked it ..Then, IETF changes the FROM address to be @dmarc.ietf.org and tags the Subject with [dmarc-ietf]. This breaks both of the first two signatures. Then, IETF applies a second signature which is verifiable. Integrity Analysis: The IETF rule is "an unverified signature is the same as no signature." Therefore, the invalid signatures can and should be ignored. It appears that your tool is getting confused by the invalid IETF signature and ignoring the valid one. The message passes SPF because the Sender Address has been changed to dmarc-boun...@ietf.org. The second passes DKIM because the second IETF signature verifies. No official assertion is been made about the sender's domain, so there is no need to verify against that domain. But if you want to do so, you can evaluate whether to place trust in the Authentication-Results header applied by IETF. IETF converts all messages to plain text, and strips or blocks attachments, so they have minimized the opportunity for malicious submission. Implications for Email Defenses: This example is a reminder that every message is a take-it-or-leave-it proposition. You can accept the message or reject it, based on the message characteristics, but you will probably be unable to cannot change the sender's behavior. In this situation, you may not like having two signatures from IETF, but you cannot change IETF. As a result, any spam filter needs to be very flexible about exceptions. Too many spam filters do not have adequate exception mechanisms. Hope this helps, Doug Foster ---------------------------------------- From: me=40junc...@dmarc.ietf.org Sent: 5/16/20 7:58 AM To: dmarc@ietf.org Subject: [dmarc-ietf] dmarc.ietf.org failed dmarc https://dmarcian.com/domain-checker/ test it there if not taking ownerships it will get dmarc pass oh well software testers needs cases to test on its one here then if its complete impossible to not break dkim i will leave this maillist _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
