On Mon, 23 Jul 2018 at 20:16, Steve Atkins <st...@blighty.com> wrote: > > On Jul 21, 2018, at 1:28 AM, Stefano Bagnara <mai...@bago.org> wrote: > > [...] > > Otherwise we keep weakening DMARC to a point where it is not useful anymore. > > For many senders it's not useful; it's actively harmful. They're deploying it > because they've been ordered to, or because they've received bad advice, or > because they're copying others who've made poor decisions.
The "v=spf1 +all" SPF record is another, even easier, way to work around it. Your messages will "DMARC survive" also every body changes applied by any forwarders adding something to the top of the message or "fixing" your message the way they know. > Weakening it's guarantees *for those senders* mitigates that damage. > > It also *strengthens* DMARC for other senders, those using it legitimately, > as it reduces the number of recipient mailbox providers who stop enforcing > DMARC because it breaks delivery of legitimate email. RFC6376 5.4. Determine the Header Fields to Sign: "signing fields present in the message such as Date, Subject, Reply-To, Sender, and all MIME header fields are highly advised." RFC6376 6.1.1. Validate the Signature Header Field "Verifiers MAY ignore the DKIM-Signature header field and return PERMFAIL (unacceptable signature header) for any other reason, for example, if the signature does not sign header fields that the Verifier views to be essential. As a case in point, if MIME header fields are not signed, certain attacks may be possible that the Verifier would prefer to avoid." So, weakening it may produce a failure to some receivers even if the message was not altered by anyone. Otherwise you could approach DKIM "minimal" by only signing "From" header and using "l=0" to avoid signing the body (this is the minimal following the MUST, but it is clearly discouraged by the RFC). Anyone with one of your signed emails will be able to sign any message with your From header (very similar to the SPF "workaround" above). Today I don't think there are many "strict checkers" on the DKIM verification side, but I think we'll see them being more strict as soon as weak DKIM "patterns" will start taking traction. And how can we be sure they are not doing that already? I guess that "paranoid" receivers that apply strict rules are the same that will never send you DMARC reports, too. I couldn't argue to a receiver that will drop a message from a "v=spf1 +all" domain or a message that dkim signed only the "From" header and 0 body bytes. I'm just playing Devil's Advocate. May be another plan using multiple signatures. You can sign it twice, once with the "suggested" setup and once with your "minimal" setup (a different selector and very fast-rotating selector/keys). This way receivers that only wants to accept DKIM as valid when enough headers and enough of the body is signed can still accept one of your DKIM signatures. Stefano _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
