Re: [dmarc-ietf] ARC vs p=quarantine
On Tue 22/Dec/2020 03:37:52 +0100 Benny Pedersen wrote: On 2020-12-21 18:27, Alessandro Vesely wrote: On Mon 21/Dec/2020 01:52:11 +0100 Benny Pedersen wrote: For the message I'm replying to, I got: Authentication-Results: wmail.tana.it; spf=pass smtp.mailfrom=ietf.org; dkim=pass reason="Original-From: transformed" (whitelisted) header.d=junc.eu; dkim=pass (whitelisted) header.d=ietf.org header.b=GUNfiCpP; dkim=fail (signature verification failed, whitelisted) header.d=ietf.org header.b=IIMQxhd+ Two out of three is not bad, is it? If IETF only did ARC seals, I'd probably verified no signature at all —since I don't run ARC checks. metacpan Mail::DKIM gives dkim invalid if just one dkim is invalid, so spamassassin says aswell dkim invalid I don't think that's a reasonable choice. A DKIM informative note exemplifies this very case: INFORMATIVE NOTE: The rationale of this requirement is to permit messages that have invalid signatures but also a valid signature to work. For example, a mailing list exploder might opt to leave the original submitter signature in place even though the exploder knows that it is modifying the message in some way that will break that signature, and the exploder inserts its own signature. In this case, the message should succeed even in the presence of the known-broken signature. https://tools.ietf.org/html/rfc6376#section-6.1 what software used above to show this results ? zdkimfilter Best Ale -- ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] ARC vs p=quarantine
On 2020-12-21 18:27, Alessandro Vesely wrote: On Mon 21/Dec/2020 01:52:11 +0100 Benny Pedersen wrote: On 2020-12-20 23:07, Michael Thomas wrote: On 12/20/20 2:01 PM, Benny Pedersen wrote: For the message I'm replying to, I got: Authentication-Results: wmail.tana.it; spf=pass smtp.mailfrom=ietf.org; dkim=pass reason="Original-From: transformed" (whitelisted) header.d=junc.eu; dkim=pass (whitelisted) header.d=ietf.org header.b=GUNfiCpP; dkim=fail (signature verification failed, whitelisted) header.d=ietf.org header.b=IIMQxhd+ Two out of three is not bad, is it? If IETF only did ARC seals, I'd probably verified no signature at all —since I don't run ARC checks. metacpan Mail::DKIM gives dkim invalid if just one dkim is invalid, so spamassassin says aswell dkim invalid what software used above to show this results ? ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] ARC vs p=quarantine
On Mon 21/Dec/2020 01:52:11 +0100 Benny Pedersen wrote: On 2020-12-20 23:07, Michael Thomas wrote: On 12/20/20 2:01 PM, Benny Pedersen wrote: hopefully maillists stops dkim signing, its the incorrect place to solve breaking dkim Sorry, ARC is warmed over DKIM, and an experiment. DKIM is a full internet standard and expressly intended for lists, etc to resign if they broke the original DKIM signature. We have always had the ability to do reputation checks regardless of ARC. I'm not sure when this wg lost sight of that. only original senders should dkim sign, rest should only arc sign, i dont have to agre on anyhing other then that, if maillists dkim sign thay try to steel the original dkim private key without succes, and there is possible a solotion to dmarc adsp handling this break seeing eitf do 3 dkim sign just to be sure it does not work For the message I'm replying to, I got: Authentication-Results: wmail.tana.it; spf=pass smtp.mailfrom=ietf.org; dkim=pass reason="Original-From: transformed" (whitelisted) header.d=junc.eu; dkim=pass (whitelisted) header.d=ietf.org header.b=GUNfiCpP; dkim=fail (signature verification failed, whitelisted) header.d=ietf.org header.b=IIMQxhd+ Two out of three is not bad, is it? If IETF only did ARC seals, I'd probably verified no signature at all —since I don't run ARC checks. Best Ale -- ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] ARC vs p=quarantine
On 2020-12-20 23:07, Michael Thomas wrote: On 12/20/20 2:01 PM, Benny Pedersen wrote: hopefully maillists stops dkim signing, its the incorrect place to solve breaking dkim Sorry, ARC is warmed over DKIM, and an experiment. DKIM is a full internet standard and expressly intended for lists, etc to resign if they broke the original DKIM signature. We have always had the ability to do reputation checks regardless of ARC. I'm not sure when this wg lost sight of that. only original senders should dkim sign, rest should only arc sign, i dont have to agre on anyhing other then that, if maillists dkim sign thay try to steel the original dkim private key without succes, and there is possible a solotion to dmarc adsp handling this break seeing eitf do 3 dkim sign just to be sure it does not work ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] ARC vs p=quarantine
On 12/20/20 2:01 PM, Benny Pedersen wrote: hopefully maillists stops dkim signing, its the incorrect place to solve breaking dkim Sorry, ARC is warmed over DKIM, and an experiment. DKIM is a full internet standard and expressly intended for lists, etc to resign if they broke the original DKIM signature. We have always had the ability to do reputation checks regardless of ARC. I'm not sure when this wg lost sight of that. Mike ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] ARC vs p=quarantine
On 2020-12-20 19:13, John R Levine wrote: On Sun, 20 Dec 2020, Alessandro Vesely wrote: question is who steps up to provide such shared lists. Dnswl.org counts about 25K domains. I suppose one might try them but I expect most of them are not sending forwarded mail. only sending to maillists here that breaks dkim and do not add arc before breaking dkim, world of 2020 cant be better :=) I've finally gotten around to doing ARC checks in my SMTP daemon so I can see who's adding ARC seals. hopefully maillists stops dkim signing, its the incorrect place to solve breaking dkim now that nearly all maillists i am on have showed what not to do, its hopefully solved soon ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] ARC vs p=quarantine
On Sun, 20 Dec 2020, Alessandro Vesely wrote: question is who steps up to provide such shared lists. Dnswl.org counts about 25K domains. I suppose one might try them but I expect most of them are not sending forwarded mail. I've finally gotten around to doing ARC checks in my SMTP daemon so I can see who's adding ARC seals. Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] ARC vs p=quarantine
On Sat 19/Dec/2020 21:50:34 +0100 Dotzero wrote: On Sat, Dec 19, 2020 at 2:50 PM John Levine wrote: In article <1e61f7c4-c6d2-5dab-dfc7-f1fd740e1...@tana.it> you write: Now my tiny MX stores 115,225 domains total. And I have no idea how I could add a trust-ARC-seals boolean field to each domain record. >> You wouldn't. Only a small fraction of those domains send enough forwarded mail to be worth worrying about. We know we need some sort of shared list of plausible forwarders but I would be amazed if it were anything like 115K domains. > So the need for a shared list has been expressed a number of times. The real question is who steps up to provide such shared lists. Dnswl.org counts about 25K domains. Best Ale -- ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] ARC vs p=quarantine
On Sat, Dec 19, 2020 at 2:50 PM John Levine wrote: > In article <1e61f7c4-c6d2-5dab-dfc7-f1fd740e1...@tana.it> you write: > >Now my tiny MX stores 115,225 domains total. And I have no idea how I > could > >add a trust-ARC-seals boolean field to each domain record. > > You wouldn't. Only a small fraction of those domains send enough forwarded > mail to be worth worrying about. We know we need some sort of shared list > of plausible forwarders but I would be amazed if it were anything like 115K > domains. > > R's, > John > So the need for a shared list has been expressed a number of times. The real question is who steps up to provide such shared lists. Michael Hammer ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] ARC vs p=quarantine
In article <1e61f7c4-c6d2-5dab-dfc7-f1fd740e1...@tana.it> you write: >Now my tiny MX stores 115,225 domains total. And I have no idea how I could >add a trust-ARC-seals boolean field to each domain record. You wouldn't. Only a small fraction of those domains send enough forwarded mail to be worth worrying about. We know we need some sort of shared list of plausible forwarders but I would be amazed if it were anything like 115K domains. R's, John ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc