Re: [mailop] DKIM by the third party

2022-04-22 Thread John Levine via mailop 
It appears that � ngel via mailop  said:
>In the usual context of email communication, if I receive an email
> From: Henrik S 
>
>what I would want to know if whether it really comes from 
>tomatoservers.com. As such, a signature by pobox.com would have no
>value for that.

Keep in mind that knowing whether it's signed by tomatoservers.com
tells you nothing by itself about whether it's spam.

For that you need an identifier with some reputation (good or bad) and DKIM
signatures from pobox.com and tomatoservers.com could both be useful for that.
Pobox is likely to be more useful since the sign more mail and so have a more
reliable reputation.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM by the third party

2022-04-22 Thread Ángel via mailop 
On 2022-04-21 at 10:04 +0800, Henrik S via mailop wrote:
> Hello
> 
> My mail is sent by the third party smtp server, and the dkim
> signature 
> is made for the third party domain (for this case, it's pobox.com).
> 
> does this DKIM have helps to the authorization of my outgoing
> messages?
> 
> Thanks

I believe the answer for what you are actually trying to ask is NO.

In the usual context of email communication, if I receive an email
 From: Henrik S 

what I would want to know if whether it really comes from 
tomatoservers.com. As such, a signature by pobox.com would have no
value for that.

That is the stance by DMARC, which expects that email with a From: of 
tomatoservers.com to be signed by a DKIM signature of tomatoservers.com
 or to have a SPF for that (which you have set).


Technically, DKIM (RFC 6376) doesn't preclude for signing email not
from unrelated parties, and those would typically be ignored by other
systems.
Or used for unrelated reasons to actual mail delivery, such as giving
access to GPT, as Laura mentions.

However, *some* systems do give more weight when signed by third-party
keys that are "good".
If -historically- most email signed by pobox.com is not spam, your 
tomatoservers.com signed by pobox.com is probalby leaning as well to
not being spam. This may be taken into account when weighting it.
Whereas if mail signed by pobox.com has a 50% chance of being spam,
that signature wouldn't help.

In summary, having a signature from pobox.com in your tomatoservers.com
 won't "authorize" your outgoing mail as really coming from 
tomatoservers.com.

However, with some server that pobox.com signature might have some
value (positive or negative) and so not being completely zero.


Years ago, dkim-reputation.org provided a database of good/bad
senders[1]. I don't know if there are other similar reputation services
now (big players obviously have their own data for that).

I would be interested on what are other (smaller) parties doing (if
any) to measure the "goodness" of valid DKIM signatures.
Also, the signature could simply treat the DKIM signature as a link
with the signer domain (in this case pobox.com). Or it could also take
into account the specific signature chosen (either the selector or the
key), so that different email flows could bear different signatures and
receive different weight.
However, the later case would obstruct key rotation, discouraging the
rotation of a DKIM key perceived to have an high value.


Regards


1- https://web.archive.org/web/20170712210708/http://www.dkim-reputation.org/

PS: Interestingly, I was precisely a similar discussion about DKIM
reputation just a few days ago.


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM by the third party

2022-04-22 Thread Byung-Hee HWANG via mailop 
Dear Brandon,

Brandon Long via mailop  writes:

> Generally speaking,
> adding a dkim signature to your message adds a "source" anchor,
> something that ties a message to other messages.

INDEED, i love this statement so much!

Thanks ^^^

Sincerely, Linux fan Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM by the third party

2022-04-21 Thread Laura Atkins via mailop 
A major reason many ESPs double DKIM sign is because two major providers 
(Google and Yahoo) will only provide compliance data (FBL in the case of Yahoo 
and access to Google Postmaster Tools in the case of Google) based on DKIM. 
While it is possible to have customers (or register for customers), it is time 
consuming and does mean that truly bad customers can simply remove access to 
those compliance metrics. 

I do know one major ESP that didn’t double DKIM sign and my understanding is 
that it took more than 6 months to get access to all their customers’ Yahoo 
FBLs. I don’t know if they cared enough about GPT to set that up. 

laura 



> On 21 Apr 2022, at 23:28, Brandon Long via mailop  wrote:
> 
> Generally speaking, adding a dkim signature to your message adds a "source" 
> anchor, something that ties a message to other messages.
> 
> For us, this means another reputation in addition to things like IP address, 
> IP range, ASN, SPF domain.  We do rank signatures when there are
> multiple ones, ie for whether or not they are "test" signatures, the strength 
> of the key, and how well it matches the from header domain.
> 
> Whether that helps you or not will depend on the reputation of the DKIM 
> domain.  If I was a third party smtp server, I would only DKIM sign messages 
> we
> a shared domain if I had a reasonable belief that the messages are non-spam.  
> One could even assign different signatures depending on how spammy
> the message is, or how new the customer is, or other metrics (similar to how 
> one might use separate IP pools for different types of customers).
> 
> If one does have a high value DKIM domain, then one should be very careful 
> about signing relayed messages.  One could imagine only signing
> outbound mailing list messages if the inbound message passes spam check and 
> is authenticated already... don't add auth to something that wasn't
> authed, for example.  This is doubly true for mail which has a from address 
> which matches what you're going to sign for, you don't want to relay a forged
> message that isn't auth and add auth to it.
> 
> As for receivers, phishing and spam evaluation are similar but not identical, 
> especially if you're looking for spear phishing.  How you use the signals will
> vary for those use cases... and an unmatched auth domain is definitely a 
> lesser signal when it comes to phishing.
> 
> There's also the resurgence of dkim replay spam, which means that 
> non-matching spf/dkim domains are more likely to be penalized now.. or one 
> could even
> "learn" the IPs for a given dkim domain and "usual" IPs may do better than 
> "unusual" IPs in that case.
> 
> It's complicated.
> 
> Brandon
> 
> On Wed, Apr 20, 2022 at 7:09 PM Henrik S via mailop  > wrote:
> Hello
> 
> My mail is sent by the third party smtp server, and the dkim signature 
> is made for the third party domain (for this case, it's pobox.com 
> ).
> 
> does this DKIM have helps to the authorization of my outgoing messages?
> 
> Thanks
> ___
> mailop mailing list
> mailop@mailop.org 
> https://list.mailop.org/listinfo/mailop 
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

-- 
The Delivery Experts

Laura Atkins
Word to the Wise
la...@wordtothewise.com 

Email Delivery Blog: http://wordtothewise.com/blog  






___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM by the third party

2022-04-21 Thread Brandon Long via mailop 
Generally speaking, adding a dkim signature to your message adds a "source"
anchor, something that ties a message to other messages.

For us, this means another reputation in addition to things like IP
address, IP range, ASN, SPF domain.  We do rank signatures when there are
multiple ones, ie for whether or not they are "test" signatures, the
strength of the key, and how well it matches the from header domain.

Whether that helps you or not will depend on the reputation of the DKIM
domain.  If I was a third party smtp server, I would only DKIM sign
messages we
a shared domain if I had a reasonable belief that the messages are
non-spam.  One could even assign different signatures depending on how
spammy
the message is, or how new the customer is, or other metrics (similar to
how one might use separate IP pools for different types of customers).

If one does have a high value DKIM domain, then one should be very careful
about signing relayed messages.  One could imagine only signing
outbound mailing list messages if the inbound message passes spam check and
is authenticated already... don't add auth to something that wasn't
authed, for example.  This is doubly true for mail which has a from address
which matches what you're going to sign for, you don't want to relay a
forged
message that isn't auth and add auth to it.

As for receivers, phishing and spam evaluation are similar but not
identical, especially if you're looking for spear phishing.  How you use
the signals will
vary for those use cases... and an unmatched auth domain is definitely a
lesser signal when it comes to phishing.

There's also the resurgence of dkim replay spam, which means that
non-matching spf/dkim domains are more likely to be penalized now.. or one
could even
"learn" the IPs for a given dkim domain and "usual" IPs may do better than
"unusual" IPs in that case.

It's complicated.

Brandon

On Wed, Apr 20, 2022 at 7:09 PM Henrik S via mailop 
wrote:

> Hello
>
> My mail is sent by the third party smtp server, and the dkim signature
> is made for the third party domain (for this case, it's pobox.com).
>
> does this DKIM have helps to the authorization of my outgoing messages?
>
> Thanks
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM by the third party

2022-04-21 Thread John R Levine via mailop 
My main point is this: ESPs and other 3rd party SMTP services - should be 
aware that using an SPF record that validates against the provider's domain 
in the SMTP envelope-FROM (and not the actual client's domain) - AND ALSO - 
having only one DKIM record which uses the provider's domain in the DKIM 
record (and, again, not the actual client's domain) - so the combination of 
these 2 - is insufficient and substandard for validating the identity of the 
sender, especially in those cases where that service provider routinely 
allows spammers and scammer to abuse their service.


Oh, sure.  If you're doing B2C or B2B mail which isn't going to run into 
the edge cases of individual or discussion list mail, it makes sense to 
publish a strict DMARC policy and add a DKIM signature which matches the 
header From: address.  Leave the envelope address alone so the ESP can do 
the bounce handling.


So my question was simply asking if Amazon had some checks in place to 
prevent this scenario? ...since I saw some examples of them coming close to 
this fiasco.


They do.  See the link in my message.  I wouldn't say their abuse handling 
is fabulous, but considering their scale, it could be a lot worse.


The lowest tiers of AWS are very cheap, so it's not hard to sign up and do 
a few small scale experiments.


R's,
John

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM by the third party

2022-04-21 Thread Rob McEwen via mailop 

On 4/21/2022 1:08 PM, John Levine wrote:
I don't understand the question. Your DKIM signatures can only be 
valid if you control the domain's DNS and publish the key records.



My main point is this: ESPs and other 3rd party SMTP services - should 
be aware that using an SPF record that validates against the provider's 
domain in the SMTP envelope-FROM (and not the actual client's domain) - 
AND ALSO - having only one DKIM record which uses the provider's domain 
in the DKIM record (and, again, not the actual client's domain) - so the 
combination of these 2 - is insufficient and substandard for validating 
the identity of the sender, especially in those cases where that service 
provider routinely allows spammers and scammer to abuse their service.


Then, when a legit business tries to use that service, but has this kind 
of substandard identity validation described above - it harms that legit 
sender because spam filters then have a harder time determining whether 
or not such a sender is legit and who they claim to be. In that case, 
the service provider's substandard practices become more of a part of 
the problem, less a part of the solution, and in general this harms 
email security.


So my question was simply asking if Amazon had some checks in place to 
prevent this scenario? ...since I saw some examples of them coming close 
to this fiasco.


-- Rob McEwen, invaluement
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM by the third party

2022-04-21 Thread John Levine via mailop 
It appears that Rob McEwen via mailop  said:
>negatively especially if/when the SMTP provider sends a mix of ham/spam 
>- and so in MANY cases - and so we don't consider the DKIM to be all 
>that particularly valid if/when NONE of the DKIM headers align with the 
>Mail Header FROM domain

The DKIM is valid in that it tells you that the signer is responsible
for the message, but I agree that if the signer sends mixed junk, that
information isn't very useful.

>Suppose important/valid transactional messages are sent via 3rd party 
>SMTP/ESP - the Return Path (SMTP envelope) FROM domain is that 
>provider's domain - therefore - the SPF record technically just 
>references that 3rd party SMTP/ESP. And suppose in this example that the 
>ONLY DKIM record in the header - does what you described (pointing to 
>3rd party) and therefore has a "d=" pointing to that SMTP/ESP's generic 
>domain. 

Same situation.  If it's a sloppy ESP, it doesn't tell you much about
whether you want the mail.

>
>(3) I recently came across an example from AmazonSES that was SIMILAR to 
>this - but not technically bad - in this case, the message had 2 DKIM 
>records, and one of those DKIM records in the mail header was for the 
>senders's mail-header FROM domain - which used that sender's main domain 
>name, thus solving this problem. (the other DKIM was for amazonses). 

I don't understand the question.  Your DKIM signatures can only be valid
if you control the domain's DNS and publish the key records.

SES does require you to show that you control the addresses you use to
send mail, either by doing domain validation with DNS records, or
validating an individual address by clicking a link in a message they
send you.  If you do domain validation you can provide your own DKIM
keys or they can make them and you just install them:

https://docs.aws.amazon.com/ses/latest/dg/creating-identities.html

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM by the third party

2022-04-21 Thread Tobias Fiebig via mailop 
Heho,
Depends on what you mean here.

Option A: You use that third party mail-server as a legitimate outbound relay.
In this case, I would argue, that it makes a limited amount of sense, i.e., 
they configured sth. wrongly, maybe because you have no DKIM configuration 
coordinated with them.

Option B: You sent to an address on that server, and they forward your mail.
Here, it does make some sense, I'd, say, depending on what they do. 

For example, I do the same, i.e., providing an _additional_ dkim sig, on 
forwarded mail, because I also apply SRS to messages. So, then I add a 
signature for the new envelope from domain from SRS, and add ARC headers as 
well.

With best regards,
Tobias

-Original Message-
From: mailop  On Behalf Of Henrik S via mailop
Sent: Thursday, 21 April 2022 04:05
To: mailop@mailop.org
Subject: [mailop] DKIM by the third party

Hello

My mail is sent by the third party smtp server, and the dkim signature is made 
for the third party domain (for this case, it's pobox.com).

does this DKIM have helps to the authorization of my outgoing messages?

Thanks
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM by the third party

2022-04-20 Thread Rob McEwen via mailop 

On 4/20/2022 10:04 PM, Henrik S via mailop wrote:
My mail is sent by the third party smtp server, and the dkim signature 
is made for the third party domain (for this case, it's pobox.com).
does this DKIM have helps to the authorization of my outgoing messages? 



I'm curious about others' opinions - but - coincidentally:

(1) in a recent project to do a years-overdue rewrite of much of the 
engine behind invaluement - we're looking at this practice very 
negatively especially if/when the SMTP provider sends a mix of ham/spam 
- and so in MANY cases - and so we don't consider the DKIM to be all 
that particularly valid if/when NONE of the DKIM headers align with the 
Mail Header FROM domain


(2) also - coincidentally - another huge consideration is this scenario:

Suppose important/valid transactional messages are sent via 3rd party 
SMTP/ESP - the Return Path (SMTP envelope) FROM domain is that 
provider's domain - therefore - the SPF record technically just 
references that 3rd party SMTP/ESP. And suppose in this example that the 
ONLY DKIM record in the header - does what you described (pointing to 
3rd party) and therefore has a "d=" pointing to that SMTP/ESP's generic 
domain. So in that scenario - if the SMTP-provider/ESP doesn't have good 
security and frequently allows criminals onto their system (which is NOT 
unusual) - what's preventing some criminal from doing the SAME thing, 
but then forging in a legit institution's domain into the FROM address 
and sending a phish - where that financial institution ALSO uses this 
same 3rd party SMTP or ESP? In that case, the phish will technically 
pass both DKIM and SPF - although it still won't pass the stricter 
standard of the mail header domain having alignment with the DKIM record 
- THUS the reason for our stance described in (1) above! That is a HUGE 
potential security loophole that can't be underestimated or ignored!


(3) I recently came across an example from AmazonSES that was SIMILAR to 
this - but not technically bad - in this case, the message had 2 DKIM 
records, and one of those DKIM records in the mail header was for the 
senders's mail-header FROM domain - which used that sender's main domain 
name, thus solving this problem. (the other DKIM was for amazonses). It 
was from an entity where great damage could be done if a criminal was 
able to setup an account with AmazonSES and then do what I described 
above in (2). So I sent a PM to Paul Vixie asking him if, in that 
scenario, Amazon SES enforces the use of a DKIM for the senders' own 
mail-header domain - and if AmazonSES actively prevents criminals from 
getting onto their system and doing what I describe in (2) above. I just 
sent this to Paul Vixie only a couple of days ago - he might not have 
even seen it yet? - where I asked Paul if AmazonSES already enforces a 
solution? (since they seem to be VERY close to having that issue 
described above - but maybe they've already solved this?) So maybe 
AmazonSES is enforcing this Mail Header FROM alignment - or is otherwise 
preventing criminals from using this loophole that attempts to 
impersonate their other customers? I'm guessing that they do, but I 
wanted to be sure. But this is a possible horrific loophole might apply 
to many SMTP-providers and ESPs!


(4) For all these reasons, I definitely recommend making sure there is a 
DKIM record that aligns with the mail-header FROM address! ...and then 
ALSO using a mail-header FROM address that uses a domain that properly 
conveys that sending organizations' identity and reputation, and NOT 
using a "throw away" domain (as many spammers, and some legit senders, 
do to try to protect their main domain from getting listed on an 
anti-spam list - but more legit senders who don't sent spam - don't tend 
to NEED to use such questionable tactics)


--
Rob McEwen, invaluement

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM by the third party

2022-04-20 Thread Byung-Hee HWANG via mailop 
Henrik S via mailop  writes:

> (... thanks ...)
> does this DKIM have helps to the authorization of my outgoing messages?

The answer is "case by case".

And i'm doing that [^^^] for forwarding (to Gmail).

Sincerely, Linux fan Byung-Hee

[^^^] test screenshot with forwarding to gmail:


-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] DKIM by the third party

2022-04-20 Thread Henrik S via mailop 

Hello

My mail is sent by the third party smtp server, and the dkim signature 
is made for the third party domain (for this case, it's pobox.com).


does this DKIM have helps to the authorization of my outgoing messages?

Thanks
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop