On Mon 25/Jan/2021 01:25:13 +0100 Brotman, Alex wrote:
Some time ago, an issue[1] was brought to the list where which DKIM(s) being reported is not clear in RFC7489 [2]. There was a short discussion, though no clear resolution before conversation trailed off. It seems like there were points that may need to be discussed. One was whether the reporting SHOULD report all signatures, regardless of alignment or validity, or perhaps just the one that aligns (if there is one).
I think that, in principle, it is good to report all signatures. Within a report, signatures should be ordered by importance. If the number of signatures per report is limited, it is paramount that they be ordered, so that the most important ones are reported.
How to define importance is subjective. A report generators decides the order based on internal policies or criteria. The order in which signatures are reported is an additional information, as if each record contained a sort of approval index, irrespective of the total number of signatures being reported.
For example, my report generator orders signatures by domain, putting author's domain first, and then taking into account alignment and a sort of reputation. That's the order in which validation is attempted. Afterwards, valid signatures are put before invalid ones. The number of reported signatures is limited to 4, because of SQL query limits (the query itself is configurable; it does a number of LEFT JOIN, which can be increased.)
There was also another question if there should be a limit to the number of signatures reported so that it remains sane.
Yes, I think it's sane to put a limit. I'd reject messages with more than 128 signatures. It never happened.
Best Ale -- _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
