Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal
On Thu, Jun 15, 2023 at 6:34 AM Tero Kivinen wrote: > Murray S. Kucherawy writes: > > On Tue, Jun 13, 2023 at 10:34 PM Tero Kivinen wrote: > > > > DKIM failures > > > > > 36.34% 26619 invalid DKIM record > > > > This is staggering. Can you characterize what the most common > malformations > > are? > > I think most of those are missing keys. I.e., there is no key in the > dns at all for that header.d and header.s. > Oh, I thought "invalid" here meant a record was found and retrieved but was found to be syntactically invalid. That's rather a different story. -MSK, participatorially ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal
On Tuesday, June 13, 2023 5:33:50 PM EDT Tero Kivinen wrote: > Barry Leiba writes: > > > DKIM only: ~99.5% > > > DKIM + SPF: ~100% > > > SPF only: ~100% > > > > That's interesting and disturbing if it remains consistent. > > The statistics I have are quite different. The failure rate is much > bigger both in DKIM and SPF. > > Following statistics is random subset of emails going through iki.fi > system, from last 30 days, consisting bit less than 4 million emails. > Iki.fi is email forwarding service, so about 90% of those emails will > fail SPF checks after iki.fi sends them forward. DKIM will go through > unmodified, and we do not modify normal messages (spam messages might > get tagged as spam depending on the members configuration), so 85.75% > of emails will still have valid DKIM signature after passing iki. Thanks. Sorry for the late reply, I've been tied up with some other work the last couple of days. I'm not surprised it's radically different as it's a differently scoped data set. As I mentioned up-thread these were for directly connected mail deliveries, so the normal DMARC failure mechanisms weren't relevant. Additionally, these were mail servers for domains which were actively working on having a complete/correct DKIM/SPF configuration to support DMARC, so not average in that manner either. Since all we had were statistics based on DMARC feedback, we were never able to explore what was behind the DKIM failure rate. Often in large entities, it's the compartmentalization and need for coordination that turns out to cause many of the problems. I've worked with companies on DMARC deployments where helping them update or develop relevant internal policy, procedures, and processes ended up being a significant fraction of the effort. SPF, DKIM, and DMARC introduce a requirement for a more centralized and complete view of outbound architecture than has historically been needed. Scott K ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal
Tero Kivinen writes: > > What are those 0.75%, some 30k SPF - DKIM messages? Are there > > cases of DKIM random failure salvaged by SPF? > > My current analysis script does not try to calculate that, I would > need to need to add that step there and rerun the script. If I > understand correctly you would like to see cases where if there is > both SPF and DKIM, the cases where the both, only one, or neither > passed, and how many of those cases would be where dkim=fail, but > spf=pass? I rerun the statistics and yes, there is 0.84% cases where dkim failed, but spf returned eithe pass, softfail or neutral. There was also 1.12% cases where spf returned permerror but dkim returned pass, and 1.26% cases where dkim returned pass and spf returned fail, or softfail. There is of course much bigger part of emails where there was no dkim, but there was spf that passed (7.03%) or softfailed (1.08%). Here are the actual numbers for DKIM and SPF result combinations: DKIM & SPF combinations === 78.62% 3133749 dkim=pass,spf=pass 7.03% 280239 dkim=none,spf=pass 4.68% 186634 dkim=pass,spf=none 3.85% 153543 dkim=none,spf=none 1.12% 44543 dkim=pass,spf=permerror 1.08% 43212 dkim=none,spf=softfail 0.82% 32821 dkim=fail,spf=pass 0.78% 30953 dkim=pass,spf=softfail 0.61% 24221 dkim=none,spf=fail 0.48% 19329 dkim=pass,spf=fail 0.43% 17120 dkim=none,spf=neutral 0.24% 9612dkim=fail,spf=none 0.06% 2320dkim=none,spf=permerror 0.06% 2214dkim=pass,spf=neutral 0.04% 1712dkim=none,spf=temperror 0.02% 995 dkim=fail,spf=fail 0.02% 924 dkim=fail,spf=softfail 0.02% 669 dkim=temperror,spf=pass 0.01% 360 dkim=missing,spf=missing 0.00% 199 dkim=temperror,spf=temperror 0.00% 196 dkim=fail,spf=neutral 0.00% 144 dkim=missing,spf=none 0.00% 119 dkim=pass,spf=temperror 0.00% 99 dkim=missing,spf=pass 0.00% 50 dkim=fail,spf=permerror 0.00% 38 dkim=missing,spf=softfail 0.00% 14 dkim=temperror,spf=none 0.00% 10 dkim=temperror,spf=softfail 0.00% 7 dkim=missing,spf=fail 0.00% 6 dkim=fail,spf=temperror 0.00% 6 dkim=missing,spf=neutral 0.00% 1 dkim=temperror,spf=fail 0.00% 1 dkim=missing,spf=temperror I.e. 78.64% of time both DKIM and SPF passed. I also calculated statistics for all DKIM, SPF, DMARC, and ARC combinations, but there were so many of them that I do not include the full list here but here is top 30 from that list: Protocol combinations 37.74% 1504477 dkim=pass,spf=pass,dmarc=missing,arc=missing 25.37% 1011277 dkim=pass,spf=pass,dmarc=pass,arc=missing 10.96% 436838 dkim=pass,spf=pass,dmarc=none,arc=missing 3.46% 138083 dkim=none,spf=pass,dmarc=missing,arc=missing 2.15% 85799 dkim=pass,spf=none,dmarc=missing,arc=missing 2.00% 79739 dkim=pass,spf=none,dmarc=pass,arc=missing 1.96% 78279 dkim=none,spf=none,dmarc=missing,arc=missing 1.64% 65205 dkim=none,spf=pass,dmarc=none,arc=missing 1.60% 63758 dkim=pass,spf=pass,dmarc=missing,arc=pass 1.54% 61579 dkim=none,spf=pass,dmarc=pass,arc=missing 1.16% 46309 dkim=pass,spf=pass,dmarc=pass,arc=pass 1.09% 43529 dkim=none,spf=none,dmarc=fail,arc=missing 0.92% 36478 dkim=pass,spf=pass,dmarc=fail,arc=missing 0.79% 31298 dkim=none,spf=none,dmarc=none,arc=missing 0.56% 22504 dkim=none,spf=softfail,dmarc=missing,arc=missing 0.56% 22123 dkim=pass,spf=permerror,dmarc=missing,arc=missing 0.55% 21973 dkim=pass,spf=pass,dmarc=none,arc=pass 0.40% 15760 dkim=fail,spf=pass,dmarc=missing,arc=missing 0.37% 14855 dkim=none,spf=softfail,dmarc=fail,arc=missing 0.37% 14716 dkim=pass,spf=softfail,dmarc=missing,arc=missing 0.34% 13576 dkim=none,spf=fail,dmarc=missing,arc=missing 0.32% 12745 dkim=pass,spf=permerror,dmarc=none,arc=missing 0.31% 12348 dkim=pass,spf=softfail,dmarc=pass,arc=missing 0.26% 10290 dkim=none,spf=neutral,dmarc=missing,arc=missing 0.24% 9657dkim=pass,spf=permerror,dmarc=pass,arc=missing 0.23% 9367dkim=pass,spf=fail,dmarc=missing,arc=missing 0.20% 8121dkim=pass,spf=fail,dmarc=pass,arc=missing 0.20% 7785dkim=fail,spf=pass,dmarc=none,arc=missing 0.17% 6719dkim=pass,spf=none,dmarc=missing,arc=pass 0.16% 6248dkim=none,spf=pass,dmarc=fail,arc=missing So 37% emails had dkim and
Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal
Alessandro Vesely writes: > On Tue 13/Jun/2023 23:33:50 +0200 Tero Kivinen wrote: > > [...] > > > > As you can see 85.75% of incoming email was already signed by DKIM, > > and 86.5% of emails had SPF records that passed. So they both have > > about same amount if usage coming in to our servers. > > > What are those 0.75%, some 30k SPF - DKIM messages? Are there cases of DKIM > random failure salvaged by SPF? My current analysis script does not try to calculate that, I would need to need to add that step there and rerun the script. If I understand correctly you would like to see cases where if there is both SPF and DKIM, the cases where the both, only one, or neither passed, and how many of those cases would be where dkim=fail, but spf=pass? I will try to see if I can run the that check later. > > 0.19% 7506none,pass > > 0.15% 5910pass,none > > How do you order DKIM signatures? My understanding is that rspamd most likely uses the order of DKIM signatures in the email body. On the other hand order does not matter, as if ANY of the dkim checks pass, then the whole message passes. The reason I printed out the combinations of different dkim results was to show that there are cases where there is multiple dkim headers and some of those pass and some fail. I.e there were: 0.00% 4 pass,fail,fail,fail,fail 0.00% 2 pass,pass,pass,pass,pass,pass I.e. four emails had five dkim records, four of them failing and one passing, where another two one had six dkim records all passing. Most of the emails had oly one dkim record, and those of which had two most of them were so that both passed. -- kivi...@iki.fi ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal
Murray S. Kucherawy writes: > On Tue, Jun 13, 2023 at 10:34 PM Tero Kivinen wrote: > > DKIM failures > > 36.34% 26619 invalid DKIM record > > This is staggering. Can you characterize what the most common malformations > are? I think most of those are missing keys. I.e., there is no key in the dns at all for that header.d and header.s. This might be caused by having some internal machine doing the DKIM signing but not publishing the actual DKIM records in the dns at all. Sometimes there is another DKIM record that will pass like this: ARC-Authentication-Results: i=1; MTA-v4; dkim=none ("invalid DKIM record") header.d=ernieball.com header.s=ci-ernieball header.b=XXX; dkim=pass header.d=criticalimpactinc.com header.s=keyd header.b=XXX; spf=pass (MTA-v4: XXX) Sometimes there that was the only dkim record and then the final result is fail: ARC-Authentication-Results: i=1; MTA-v4; dkim=none ("invalid DKIM record") header.d=autostadium.fi header.s=x header.b=XXX; spf=pass (MTA-v4: XXX) Note, that those are not really failures, I calculated those error messages from dkim=none result to the statistics, as it indicates that there was DKIM record in email, but DKIM was not set properly, so in sense it is DKIM error, but if I remember right DKIM specification says that not having DKIM record, or having missing keys etc in dns are no different from each other, so both are DKIM=none... -- kivi...@iki.fi ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc