On Thu, Aug 2, 2018 at 7:44 AM Bill Cole < mailop-20160...@billmail.scconsult.com> wrote:
> On 2 Aug 2018, at 9:23, Stefano Bagnara wrote: > > > In our case our main DKIM-signature for any email sent by our servers > > always matches the return-path domain, the HELO and the FCrDNS. It > > often doesn't match the MIME From, so it doesn't align. > > When we can do it we add a second signature aligned to the From, but > > we can't do that for every email. > > Right, but what YOU do isn't what either ESP in the OP's case is doing. > > They are signing with 3-level domains that shares nothing except its top > 2 levels with any other name used in sending the mail. The signing > domains have no connection to the messages except the signature. It is > solely an authentication that some party capable of manipulating > intrinsically ephemeral unrelated unsigned DNS records acted as a > transport for the mail. > > I guess at Google-scale it could be worth creating a mechanism for > maintaining reputation for that essentially meaningless attribute of > mail (an unreliable authentication of an entity with no defined > relationship to the mail,) but I am surprised by this. > How is it unreliable? And that relationship to the mail is the message itself, to be DKIM signed, it had to come from them. At that level, they are taking "ownership" of the message, or even some level of "responsibility". Yes, it is true, that that only really helps if you have some scale to see enough messages from senders to build knowledge of them. I don't think Google's level of scale is required for that, and even relatively small receivers may be using third party data sources or anti-spam software which does aggregate between receivers. It also allows receivers to grant the senders information about what happened to their mail, with FBLs and things like our feedback loop. The DKIM replay attacks were probably the most effective attacks on this particular usage, trying to piggyback off of higher reputation systems. One of the reasons with ARC that we couldn't re-use DKIM signatures and had to create a separate similar signature, is that an ARC signature doesn't take responsibility for the message, it's only supposed to take responsibility for maintaining the chain and the data in the AAR header. There are places where "unrelated" DKIM signatures are kind of on the border of the "responsibility" thing, such as relays like mailing lists. In some respects, that is better handled by ARC, though we're a long way from that. Brandon
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
