[dmarc-ietf] Re: Proxy signatures to combat SPF upgrade?

[Douglas Foster]

Several differences:

I am not worried about From authentication of ESP messages because I have
concluded that the major ESPs can be trusted to  authenticate their
clients.  The client might be malicious, but the identity will not be
forged.

Along the same lines, ESPs are not doing forwarding so I don't have to deal
with the identity confusion that forwarding creates.

ESP signatures affirm their own identity only.  They are not
client-specific.

If I had a lot of incoming forwards, I might be interested in the ESP
signature when the ESP Mail from identity is lost.  Without that problem,
ESP signatures are redundant.

In short ESPs have none of the risks associated with shared tenancy mail
servers like Outlook.com.   In that environment, SPF Pass with alignment is
a weak validation of the From domain, and even that is sometimes lacking.
 DKIM is still best. Google's client-specific DKIM signature is an
intermediate level of validation and it is useful to me.   The
client-specific signatures in Outlook.com are likely to be useful but I
need to do more investigating.

Smaller hosting services will have trouble gaining trust, even if they use
client-specific signatures, so the concept is not likely to scale up   But
it works for me.

Doug


On Mon, Jun 10, 2024, 9:55 PM Neil Anuskiewicz  wrote:

>
>
> On Jun 7, 2024, at 1:14 AM, Richard Clayton 
> wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> In message  il.com>, Douglas Foster  writes
>
> Google applies annotation signatures from ..
>
> gappsstmpt.com, with periods replaced in the domain name.
>
> Microsoft applies proxy signatures from .onmicrosoft.com
>
>
> pretty much every ESP adds a DKIM signature of their own ... it will not
> in general be aligned, but the DMARC reports will provide useful info.
>
>
> Yes, there’s almost always a default signature signed by a domain owned by
> the ESP.
>
> I think that’s this practice was started, in part, to ensure getting
> successfully on all the feedback loops. Now obviously you can add a second
> signature signed with your own domain. With many of the larger ESP’s, as we
> likely all know already, aligned SPF isn’t an option. You can DKIM sign but
> you have to leave the envelope from to the ESP.
>
> Neil
> ___
> dmarc mailing list -- dmarc@ietf.org
> To unsubscribe send an email to dmarc-le...@ietf.org
>
___
dmarc mailing list -- dmarc@ietf.org
To unsubscribe send an email to dmarc-le...@ietf.org

[dmarc-ietf] Re: Proxy signatures to combat SPF upgrade?

[Neil Anuskiewicz]

> On Jun 7, 2024, at 1:14 AM, Richard Clayton  wrote:
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> In message  il.com>, Douglas Foster  writes
> 
>> Google applies annotation signatures from ..
>> gappsstmpt.com, with periods replaced in the domain name.
>> Microsoft applies proxy signatures from .onmicrosoft.com
> 
> pretty much every ESP adds a DKIM signature of their own ... it will not
> in general be aligned, but the DMARC reports will provide useful info.

Yes, there’s almost always a default signature signed by a domain owned by the 
ESP. 

I think that’s this practice was started, in part, to ensure getting 
successfully on all the feedback loops. Now obviously you can add a second 
signature signed with your own domain. With many of the larger ESP’s, as we 
likely all know already, aligned SPF isn’t an option. You can DKIM sign but you 
have to leave the envelope from to the ESP. 

Neil___
dmarc mailing list -- dmarc@ietf.org
To unsubscribe send an email to dmarc-le...@ietf.org