Re: [ietf-dkim] Escaping things in key/ADSP records
Excellent job. Perhaps a pointer to this can go on the dkim.org site? Tony Hansen t...@att.com Steve Atkins wrote: On Jul 31, 2009, at 2:02 PM, Steve Atkins wrote: (This may be a duplicate, I have too many email addresses) On Jul 31, 2009, at 12:08 PM, Scott Kitterman wrote: On Fri, 31 Jul 2009 10:19:43 -0400 Tony Hansen t...@att.com wrote: I'm wondering if there is a need for a web interface at dkim.org that would validate someone's _domainkey TXT record. I'd say yes. It would provide a good way to isolate record specific issues from other potential problems people are having error sources when troubleshooting. I have some perl code that does some validation for internal use; it'd be fairly easy to turn it into a webapp. http://dkimcore.org/tools/dkimrecordcheck.html Given a selector and a domain it'll slurp the record from DNS. Then it parses it, using the BNF from the spec (rhetoricalwhy, oh, why do we support FWS in a DNS record?/rhetorical) and then sanity checks the various fields and gives a good / bad message. If anyone has good (or known bad) records that it gets wrong I'm interested to hear about it. Cheers, Steve ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
I am not ready to make that statement yet. Considering that a lot of spam has valid DKIM signatures I am not sure when I will make that statement From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] On Behalf Of Franck Martin Sent: Friday, July 31, 2009 6:23 PM To: ietf-dkim@mipassoc.org Subject: [ietf-dkim] DKIM adoption Looking at DKIM adoption. I have seen statements that some mailers will do DKIM based reputation if available, but I have yet to see a statement as either: -an email not signed with DKIM will have its reputation lowered (less likely to pass filters) -an email signed with DKIM will have its reputation increased (more likely to pass filters) I think if there were some postmasters making such statement it would boost the adoption of DKIM. I think stating that some postmasters are moving to domain based reputation is just encouraging the status quo of not DKIM signing to stay in IP based reputation. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Escaping things in key/ADSP records
-Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim- boun...@mipassoc.org] On Behalf Of Steve Atkins Sent: Sunday, August 02, 2009 6:34 PM To: DKIM WG Subject: Re: [ietf-dkim] Escaping things in key/ADSP records [...] Nice work! However: If anyone has good (or known bad) records that it gets wrong I'm interested to hear about it. It reports the contents of medusa3._domainkey.blackops.org as invalid which is not correct. That record contains an r= and an rs= tag, both of which are defined by active I-Ds. Those tags may be unknown to RFC4871, but that specification says such should merely be ignored; they don't render the record invalid. -MSK ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Escaping things in key/ADSP records
On Aug 3, 2009, at 9:13 AM, Murray S. Kucherawy wrote: -Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim- boun...@mipassoc.org] On Behalf Of Steve Atkins Sent: Sunday, August 02, 2009 6:34 PM To: DKIM WG Subject: Re: [ietf-dkim] Escaping things in key/ADSP records [...] Nice work! However: If anyone has good (or known bad) records that it gets wrong I'm interested to hear about it. It reports the contents of medusa3._domainkey.blackops.org as invalid which is not correct. That record contains an r= and an rs= tag, both of which are defined by active I-Ds. Those tags may be unknown to RFC4871, but that specification says such should merely be ignored; they don't render the record invalid. For typical DKIM users though, commenting on an invalid field as This is probably invalid, but there might be an experimental I-D that's using it, so maybe it's OK and receivers may or may not ignore it is going to be far more confusing than This is wrong, fix it. - as if they're using r= it's probably a typo or a misunderstanding, rather than intentional use of an experimental field. You're intentionally using non-standard or experimental fields - so you know better than the mechanical validator, and that's OK. (If we were to add a form on dkim.org that points to the checker, that might be the place to discuss what it considers valid and what it doesn't.) It might be interesting to have an alternate checker that tracks the additional fields being discussed in active I-Ds too, though. Is there a registry of experimental fields or list of I-Ds anywhere? Cheers, Steve ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Escaping things in key/ADSP records
-Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim- boun...@mipassoc.org] On Behalf Of Steve Atkins Sent: Monday, August 03, 2009 9:59 AM To: DKIM WG Subject: Re: [ietf-dkim] Escaping things in key/ADSP records For typical DKIM users though, commenting on an invalid field as This is probably invalid, but there might be an experimental I-D that's using it, so maybe it's OK and receivers may or may not ignore it is going to be far more confusing than This is wrong, fix it. - as if they're using r= it's probably a typo or a misunderstanding, rather than intentional use of an experimental field. How about: The following tags are non-standard and will likely be ignored by most verifiers? Some of Tony's examples such as h=rsa-sha1 can certainly be reported as invalid as they are standardized tags with illegal values (i.e., the legal values are enumerated). It might be interesting to have an alternate checker that tracks the additional fields being discussed in active I-Ds too, though. Is there a registry of experimental fields or list of I-Ds anywhere? Alas, no. And it would be difficult, I think, to try to corral people into using one in general (though the audience is currently pretty small so for now it's a practical idea). -MSK ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Escaping things in key/ADSP records
On Aug 3, 2009, at 10:28 AM, Murray S. Kucherawy wrote: For typical DKIM users though, commenting on an invalid field as This is probably invalid, but there might be an experimental I-D that's using it, so maybe it's OK and receivers may or may not ignore it is going to be far more confusing than This is wrong, fix it. - as if they're using r= it's probably a typo or a misunderstanding, rather than intentional use of an experimental field. How about: The following tags are non-standard and will likely be ignored by most verifiers? Some of Tony's examples such as h=rsa-sha1 can certainly be reported as invalid as they are standardized tags with illegal values (i.e., the legal values are enumerated). It might be interesting to have an alternate checker that tracks the additional fields being discussed in active I-Ds too, though. Is there a registry of experimental fields or list of I-Ds anywhere? Alas, no. And it would be difficult, I think, to try to corral people into using one in general (though the audience is currently pretty small so for now it's a practical idea). Ah. If there's no registry of fields then there's nothing to say that a receiver isn't experimenting with an r= field that's completely different to the r= field that Tony is publishing. So it isn't safe to assume that a receiver that isn't using Tony's definition of r= will ignore his r= field, rather we're solidly into undefined behavior and something that is definitely an error in a production record (as opposed to a record used for pre-arranged testing with a specific receiver). Cheers, Steve ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Escaping things in key/ADSP records
On 08/03/2009 09:13 AM, Murray S. Kucherawy wrote: -Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim- boun...@mipassoc.org] On Behalf Of Steve Atkins Sent: Sunday, August 02, 2009 6:34 PM To: DKIM WG Subject: Re: [ietf-dkim] Escaping things in key/ADSP records [...] Nice work! However: If anyone has good (or known bad) records that it gets wrong I'm interested to hear about it. It reports the contents of medusa3._domainkey.blackops.org as invalid which is not correct. That record contains an r= and an rs= tag, both of which are defined by active I-Ds. Those tags may be unknown to RFC4871, but that specification says such should merely be ignored; they don't render the record invalid. An active I-D does not a standard make ;-) But yeah, it should probably just tag them as unknown/ignored-by-4871 rather than an error. Mike ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
On 8/2/09 1:06 AM, Mark Delany wrote: On Aug 1, 2009, at 9:14 PM, Franck Martin wrote: But is ICANN supposed to clean all these random valid domains? You half-joke, but one of the arguments we presented to the FTC back in 2003 or so regarding spam was that we had an opportunity to regulate issuance of domain names. If not regulate, then at least insist on an identifiable legal entity being required to register a domain. Rather than viewing control of a domain as indicative of good email behavior, positive reputations based upon histories of DKIM signatures could offer an alternative or enhancement to methods currently used in the disposition of messages. As SMTP transitions into the use of IPv6, IP address reputations will also need to rapidly transition to a positive mode of assessment as perhaps the only method that has a chance to scale in the face of new levels of abuse. It might be interesting to review information exchanged during DKIM assessment, such as a hash of the i= value in conjunction with the DKIM key location. Perhaps a new industry standard could be adopted in this regard. It might be interesting to find whether there might be interest in developing third-party authorization schemes. -Doug ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
On Aug 3, 2009, at 10:31 AM, Douglas Otis wrote: On 8/2/09 1:06 AM, Mark Delany wrote: On Aug 1, 2009, at 9:14 PM, Franck Martin wrote: But is ICANN supposed to clean all these random valid domains? You half-joke, but one of the arguments we presented to the FTC back in 2003 or so regarding spam was that we had an opportunity to regulate issuance of domain names. If not regulate, then at least insist on an identifiable legal entity being required to register a domain. Rather than viewing control of a domain as indicative of good email behavior, positive reputations based upon histories of DKIM signatures could offer an alternative or enhancement to methods currently used in the disposition of messages. That's entirely orthogonal and nothing new. My point was something stronger and different from reputation, namely something jurisdictional; can I find (and sue) the owner of the domain on the DKIM signature? Mark. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
On 08/03/2009 11:01 AM, Mark Delany wrote: On Aug 3, 2009, at 10:31 AM, Douglas Otis wrote: On 8/2/09 1:06 AM, Mark Delany wrote: On Aug 1, 2009, at 9:14 PM, Franck Martin wrote: But is ICANN supposed to clean all these random valid domains? You half-joke, but one of the arguments we presented to the FTC back in 2003 or so regarding spam was that we had an opportunity to regulate issuance of domain names. If not regulate, then at least insist on an identifiable legal entity being required to register a domain. Rather than viewing control of a domain as indicative of good email behavior, positive reputations based upon histories of DKIM signatures could offer an alternative or enhancement to methods currently used in the disposition of messages. That's entirely orthogonal and nothing new. My point was something stronger and different from reputation, namely something jurisdictional; can I find (and sue) the owner of the domain on the DKIM signature? I think that it's larger than that: Given a domain name, what can we educe from it? 1) who the registrant? o how long has it been around o etc, etc 2) who is the registrar? o how hard is it to mass-enroll domains? o are they known to turn a blind eye to spammers? etc, etc. That is, start looking up the food chain for bad behavior. Until there are negative consequences, registrars will take the free if smelly money. What can we do to create a negative consequence? Mike ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
Franck Martin wrote: Looking at DKIM adoption. I have seen statements that some mailers will do DKIM based reputation if available, but I have yet to see a statement as either: -an email not signed with DKIM will have its reputation lowered (less likely to pass filters) -an email signed with DKIM will have its reputation increased (more likely to pass filters) I think if there were some postmasters making such statement it would boost the adoption of DKIM. Yahoo! broadly hinted, some years ago, that they'd start giving a slight positive bump to messages signed with DomainKeys. Two things happened: 1. serious hardcore spammers (not just misguided marketers) started including DomainKeys signatures 2. lots of people who really should've known better started saying use DomainKeys and your deliverability will improve! We also wrote about the slow emergence of domain reputation recently, trying to avoid piling on to the hyperbolic misrepresentations so common on other email marketing blogs: http://www.returnpath.net/blog/2009/07/domain-reputation-what-it-mean.php -- J.D. Falk Return Path Inc http://www.returnpath.net/ ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
Paul Russell wrote: Probably not. But DKIM is not designed to provide a message recipient with the ability to determine whether a message is spam; it is designed to provide a message recipient with the ability to determine whether a message was sent by the apparent sender. Since your caution constructively seeks to pay attention to what DKIM is *not* and especially since that goes against most folks' expectations for DKIM, it's tempting simply to agree. Strictly speaking, however, the 'apparent sender' reference is likely to be problematic since those same most folks will think it means the author (From: field) and it might or might not. The signing does not even have to be a direct handler of the message, per the Goodmail form signing on behalf of the author's organization. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
bill.ox...@cox.com wrote: , but I have yet to see a statement as either: -an email not signed with DKIM will have its reputation lowered (less likely to pass filters) -an email signed with DKIM will have its reputation increased (more likely to pass filters) The presence or absence of a DKIM signature carries no inherent semantics about reputation of the signer. Consequently anyone increasing or lowering a reputation assessment based on the presence or absence of a DKIM signature is going far beyond its stated purpose. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
On 8/3/09 11:01 AM, Mark Delany wrote: That's entirely orthogonal and nothing new. My point was something stronger and different from reputation, namely something jurisdictional; can I find (and sue) the owner of the domain on the DKIM signature? An ISP might, but recipients had their legal standing removed by CAN-SPAM. Regardless, reputation would be more cost effective. -Doug ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Escaping things in key/ADSP records
It could put in a heading of Unrecognized tag X= for each such tag. Tony Hansen t...@att.com Steve Atkins wrote: On Aug 3, 2009, at 9:13 AM, Murray S. Kucherawy wrote: -Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim- boun...@mipassoc.org] On Behalf Of Steve Atkins Sent: Sunday, August 02, 2009 6:34 PM To: DKIM WG Subject: Re: [ietf-dkim] Escaping things in key/ADSP records [...] Nice work! However: If anyone has good (or known bad) records that it gets wrong I'm interested to hear about it. It reports the contents of medusa3._domainkey.blackops.org as invalid which is not correct. That record contains an r= and an rs= tag, both of which are defined by active I-Ds. Those tags may be unknown to RFC4871, but that specification says such should merely be ignored; they don't render the record invalid. For typical DKIM users though, commenting on an invalid field as This is probably invalid, but there might be an experimental I-D that's using it, so maybe it's OK and receivers may or may not ignore it is going to be far more confusing than This is wrong, fix it. - as if they're using r= it's probably a typo or a misunderstanding, rather than intentional use of an experimental field. You're intentionally using non-standard or experimental fields - so you know better than the mechanical validator, and that's OK. (If we were to add a form on dkim.org that points to the checker, that might be the place to discuss what it considers valid and what it doesn't.) It might be interesting to have an alternate checker that tracks the additional fields being discussed in active I-Ds too, though. Is there a registry of experimental fields or list of I-Ds anywhere? Cheers, Steve ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Everything not forbidden is permitted
Just some clarification, there is no way for an outsider to query this record if you don't know it exists? The selector basically hides the record from DNS in comparison to SPF which is easy to find in a DNS zone. - Original Message - From: Steve Atkins st...@wordtothewise.com To: DKIM WG ietf-dkim@mipassoc.org Sent: Tuesday, 4 August, 2009 11:15:52 AM GMT +12:00 Fiji Subject: [ietf-dkim] Everything not forbidden is permitted Chatting with people offlist the issue of whether there is such a thing as a good or bad DKIM record came up. I'm trying to get a feel for peoples views on that so, to give a concrete example, if your postmaster came to you with this DKIM record they wanted you to publish in DNS, would you publish it as-is? If not, why not? september2006._domainkey.example.com 300 IN TXT version=DKIM1; a=rsa- sha1; c=simple/simple; hash=sha1; t=testing; p=MIGfMA0Gmore base64 gunk; Cheers, Steve ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Everything not forbidden is permitted
On Aug 3, 2009, at 4:33 PM, Franck Martin wrote: Just some clarification, there is no way for an outsider to query this record if you don't know it exists? Yup. The selector basically hides the record from DNS in comparison to SPF which is easy to find in a DNS zone. Assume the postmaster is going to be signing your outbound email using september2006 as the selector. They're not messing with you - they're deploying DKIM, using the private key that goes with the p= public key in the record below. Cheers, Steve - Original Message - From: Steve Atkins st...@wordtothewise.com To: DKIM WG ietf-dkim@mipassoc.org Sent: Tuesday, 4 August, 2009 11:15:52 AM GMT +12:00 Fiji Subject: [ietf-dkim] Everything not forbidden is permitted Chatting with people offlist the issue of whether there is such a thing as a good or bad DKIM record came up. I'm trying to get a feel for peoples views on that so, to give a concrete example, if your postmaster came to you with this DKIM record they wanted you to publish in DNS, would you publish it as-is? If not, why not? september2006._domainkey.example.com 300 IN TXT version=DKIM1; a=rsa- sha1; c=simple/simple; hash=sha1; t=testing; p=MIGfMA0Gmore base64 gunk; Cheers, Steve ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] Everything not forbidden is permitted
The near issue has already come up and the end-result - NO. A customer was asked by their direct marketing spammer to add DKIM/DKEY records because YAHOO was forcing the issue on the spammer to access YAHOO recipients. They wanted to signed: coupons.majorcompany.com and ask the company to add DNS selector records. But the major company did have a way to stop fake or 3rd party majorcompany.com dept.majorcompany.com services.majorcompany.com signatures once bad guys learned that the domain was being signed! Since DKIM lacks fault detection, the answer was no. -- HLS Steve Atkins wrote: Chatting with people offlist the issue of whether there is such a thing as a good or bad DKIM record came up. I'm trying to get a feel for peoples views on that so, to give a concrete example, if your postmaster came to you with this DKIM record they wanted you to publish in DNS, would you publish it as-is? If not, why not? september2006._domainkey.example.com 300 IN TXT version=DKIM1; a=rsa- sha1; c=simple/simple; hash=sha1; t=testing; p=MIGfMA0Gmore base64 gunk; Cheers, Steve ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html