Re: [mailop] (Mis)use of DKIMs length tag and its impact on DMARC and BIMI
That was strange, they do rewrite the sender, but doesn't resign the rmail.can't see headers on mobile and im currently without email client until Microsoft releases Office 2024 so tough they do it.@Admin [mailop-owner]: Maybe you should add resigning? Ergo, strip out all and any DKIM signatures, ARC seals and anything, and then add a DKIM signature belongning to mailop.org Originalmeddelande Från: Benny Pedersen via mailop Datum: 2024-05-18 22:32 (GMT+01:00) Till: mailop@mailop.org Ämne: Re: [mailop] (Mis)use of DKIMs length tag and its impact on DMARC and BIMI Sebastian Nielsen via mailop skrev den 2024-05-18 20:14:> Yeah, for mailing lists the rewrite + resign method is better, like> this mailing list does, rewrites everything to mailop@mailop.org> And then resigns the mail with their own SPF and DKIM.with this maillist does not doAuthentication-Results mx.junc.eu (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=sebbe.euif maaillist did ARC first on base of dkim pass from you it would help to keep the ARC change in stable, this means we would all could verify you did it right in the first place, but if maillist screew dkim before arc-sign and arc-seal it, then there is only one way back to trascan :(order of things matter___mailop mailing listmailop@mailop.orghttps://list.mailop.org/listinfo/mailop___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] (Mis)use of DKIMs length tag and its impact on DMARC and BIMI
Sebastian Nielsen via mailop skrev den 2024-05-18 20:14: Yeah, for mailing lists the rewrite + resign method is better, like this mailing list does, rewrites everything to mailop@mailop.org And then resigns the mail with their own SPF and DKIM. with this maillist does not do Authentication-Results mx.junc.eu (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=sebbe.eu if maaillist did ARC first on base of dkim pass from you it would help to keep the ARC change in stable, this means we would all could verify you did it right in the first place, but if maillist screew dkim before arc-sign and arc-seal it, then there is only one way back to trascan :( order of things matter ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] (Mis)use of DKIMs length tag and its impact on DMARC and BIMI
Yeah, for mailing lists the rewrite + resign method is better, like this mailing list does, rewrites everything to mailop@mailop.orgAnd then resigns the mail with their own SPF and DKIM. Originalmeddelande Från: Dave Crocker via mailop Datum: 2024-05-18 20:02 (GMT+01:00) Till: mailop@mailop.org Ämne: Re: [mailop] (Mis)use of DKIMs length tag and its impact on DMARC and BIMI On 5/17/2024 7:12 AM, Taavi Eomäe via mailop wrote:> Although some of these dangers have been known for a while (some parts > are even described in the RFC itself), things like the threat > landscape, our approach and the extent to which this can be abused > have changed. In our opinion previously suggested and (rarely) > implemented mitigations do not reduce these risks sufficiently.>> We hope that with some cooperation from mail operators improved > defense measures can be implemented to strengthen DKIM for everyone. As I recall, the original intent was to permit successful use of DKIM in spite of mailing lists' addition of footer text.I think the view of damage from DKIM failure and/or abuse was rather more benign than suits today's email world.It wasn't a great feature at the time and now it is worse than that.Seems like the right approach is to seek community-wide pressure to deprecate it. First through operational pressure and then with an update to the spec.d/-- Dave CrockerBrandenburg InternetWorkingbbiw.netmast:@dcrocker@mastodon.social___mailop mailing listmailop@mailop.orghttps://list.mailop.org/listinfo/mailop___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop