On 04/12/16 12:06, Robert Schetterer wrote:
Am 12.04.2016 um 07:56 schrieb li...@lazygranch.com:
Just a quickie here on DMARC. I set one domain to "quarantine" and set up the
rua to email me a report. Thus far, only MS Hotmail sends me anything, even though I have
emailed yahoo accounts.
The MS Hotmail report is in XML, which I can read in vim or whatever. I'm not
sure what they intended me to use.
or use
https://dmarcian.com/dmarc-xml/
Since programs will usually be reading the XML and producing reports
locally, XML is a good format. Plenty of perl and python modules to
parse XML.
I use emacs and it does a nice job of coloring XML according to function
(element, attribute, etc). Its no worse that reading HTML source.
Doing a survey of email clients with SPF and DKIM verification, I only found
Thunderbird does this, and with a plugin. Thunderbird is in caretaker status,
so I don't use it.
I use my phone and thunderbird to preview my IMAP accounts and
occasionally respond on one or the other. Then I run fetchmail (with
TLS) to empty the folder and actually read and archive my mail.
DKIM signature should be done by the MSA. That would mean postfix for
most of the people on this list. Therefore mail sent from any client
gets DKIM signed. There is an opendkim milter for this. MSA should
authenticate, match to sender (or verify sender somehow) and then DKIM sign.
Thus an identification system (SPF and DKIM ) had been created that mail system
administrators are loathe to strictly enforce for received email, and with no
consequences, is only half heartedly complied with on the sending side.
(Congrats to the interwebs for at least providing many DKIM/SPf verification
websites.)
That might be partially because they don't understand how it was
intended to be deployed. DKIM signature is not intended to be done by
the MUA as the general case.
And if we agree (OK, some agree) that strict rejection of received email based
on SPF and DKIM is not a good idea, you would think at least the email clients
would make detection of these identification methods more automatic.
Hats off to programmers for providing/maintaining tools that the masses don't
appreciate.
Rejection of mail with DNS records that indicate that mail MUST be from
a given address range, or MUST be signed, should be honored to prevent
forgery. Those domains are saying that they do have their act together
and know where their mail should be originating from and have the the
ability to sign it. The error in DKIM design was that there is no way
to determine that unsigned mail should have been signed and DMARC fixes
that.
Best Regards
MfG Robert Schetterer
Curtis
