On Wed 21/Jun/2023 15:36:44 +0200 Todd Herr wrote:
On Wed, Jun 21, 2023 at 4:22 AM Alessandro Vesely <ves...@tana.it> wrote:
On Tue 20/Jun/2023 15:40:11 +0200 Todd Herr wrote:

I can't speak for Patrick, but I don't think he's necessarily thinking of different encryption algorithms here.

Not all who wish to have their email DKIM signed have the luxury that you have John of full control of the DKIM signing process. I'm specifically thinking of the entity (call them Marty Marketer) who has the authority to employ a third party to send authenticated mail on behalf of a domain, mail that the third party can and will DKIM sign using the entity's domain. Sadly, Marty does not have the authority to update DNS for that domain in order to publish a DKIM public key. This leads to challenges as the third party presents to Marty a public key to publish, and Marty tries to figure out to whom to pass along this information and in what format. This leads to screen caps, or cutting and pasting errors, misdirected mail chains, etc., etc.

Is this the way it should be? Probably not, but it's a reality for many, and it's a problem we don't as an industry have an answer for yet. If we did, there wouldn't be people in the other thread reporting such a high percentage of DKIM failures due to malformed/missing keys.

Now, of course we could argue that Marty shouldn't be left to their own devices to engage third party senders, and that should solely be the province of the IT staff that manages DNS, but I fear that the energy required to type and distribute such words would be wasted.

Creating more and more publishing mechanisms could reproduce the situation of SPF, whereby customers of the same third party can easily impersonate one another.

DKIM signatures have to be created by MSAs upon user authentication. MSAs which use smarthosts, IMHO, had better sign just the header fields they control rather than delegate signing. Doesn't Marty have any option on that?

I'm afraid I've done a poor job of making my point, as it seems that you haven't understood what I was trying to say. Let me try again.

The scenario I'm describing here isn't referring to the actual DKIM signing of any given message. Rather, I'm talking about the publication of the DKIM public key in DNS to support the validation of signed mail.

In this scenario, Marty has hired a third party email service provider (e.g., WeSendMail) to handle a class of bulk sending on behalf of Marty's organization (e.g., WeSellStuff.com).

Marty wants WeSendMail to DKIM sign that mail using d=wesellstuff.com, and WeSendMail can do that, so Marty clicks a button or whatever in the WeSendMail UI to make that happen.

The UI pops up a screen that says "Please publish this TXT record in your DNS", where the name is WSMWSSSelector._domainkey.wesellstuff.com and the value is the DKIM public key. Marty doesn't control DNS for wesellstuff.com.

Maybe Marty knows who does control DNS, and Marty is good at cutting and pasting, and Marty can successfully communicate the request to the DNS people for wesellstuff.com.

Maybe Marty has no clue who to engage, or maybe Marty misses a character in the cutting and pasting, or maybe Marty just does a screen capture and the DNS folks mess up something when transcribing the contents of the picture, or...

Might something like Domain Connect (https://www.domainconnect.org/) solve this? Sure, it could, and its website even describes a scenario identical to what I'm trying to describe here. However, Domain Connect seems to be a bit hand-wavy on the concept of authorization when it comes to making changes to DNS zones, and in this scenario, Marty doesn't have those credentials.


Ah, yeah. I had thought that the message content was written by people at wesellstuff.com and sent on their behalf. If it's people at WeSendMail who actually creates the messages, then it is correct that they sign what they write. I understand the key publishing problem, although in the realities I have experience of, that kind of agreement is handled at a high enough level that Marty wouldn't have problems to ask it to the it head directly.

From a recipient POV, I'd prefer From: to refer to the creatives and the subject to the advertised product...


Best
Ale
--













_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Reply via email to