Re: [mailop] DKIM signed with parent domain

[Marco Moock via mailop]

Am 27.01.2024 um 13:46:34 Uhr schrieb Gellner, Oliver via mailop:

> If I as a customer or business partner would receive emails which are
> coming from apa...@webserver1.company.tld then I‘d be under the
> impression that this company lost control of their infrastructure.
> But maybe that’s just me.

It depends on the situation.
We have a big site with distributed administration, but a central mail
relay.
Many server send logs to the admins and the admins are not always on
mail servers in our site.
We sometimes don't even have control over then DNS zones because they
operate their own DNS.

Some machines also use common names, like registration.example.org. We
know use DKIM with a parent domain and Google seems to accept that.
But we noticed that Google doesn't enforce its hard DKIM/SPF policies
anymore here.

-- 
Gruß
Marco

Spam und Werbung bitte an ichschickerekl...@cartoonies.org
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM signed with parent domain

[Jaroslaw Rafa via mailop]

Dnia 26.01.2024 o godz. 22:06:44 Gellner, Oliver via mailop pisze:
> Independent of this I wouldn’t use r...@hostname.example.org as a sender
> address to external recipients. This doesn’t look professional, makes
> replying to those emails impossible and in case hostname.example.org
> doesn’t have a public IP address it might also increase the risk that
> those messages are treated as spam or rejected, because they are coming
> from an unresolvable domain.

While you are obviously right about the unresolvable domain case, but if
hostname.example.org is resolvable (and if that host is a MX for
example.org, it will be), what makes you think that replying to an email
from r...@hostname.example.org is impossible?

In the past I've done it dozens of times and it always worked. Unless of
course root account was configured to reject mail, but this is not a common
configuration.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM signed with parent domain

[Byung-Hee HWANG via mailop]

Hellow Slavko,

On Sat, 2024-01-27 at 08:10 +, Slavko via mailop wrote:
> Dňa 27. januára 2024 3:59:54 UTC používateľ Byung-Hee HWANG via
> mailop  napísal:
> 
> > 
> > Google Gmail accept such email: (source from soyeo...@gmail.com)
> > https://gitlab.com/soyeomul/Gnus/-/raw/d73303d3f304a275bb6f129c0d4934ce30680629/DKIM/gmail-forwarding-header-20240126.txt
> 
> AFAIK:
> 
> + standalone DKIM has no dependency on any email header
> + DMARC has option how strictly verify DKIM alignment
> 
> Thus, make sure proper settings and it should be ok (RFC compliant).
> 
> If some site will not accept that, it is its bug. To be sure, one can
> setup separate DMARC record for subdomain with separate
> rua= target defined and watch (inspect) reports for some time.
> 

These days, i'm reading RFC 8617 from time to time. Thanks for your
kind advice!


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM signed with parent domain

[Gellner, Oliver via mailop]

> On 27.01.2024 at 03:23 Grant Taylor via mailop wrote:
> On 1/26/24 16:06, Gellner, Oliver via mailop wrote:
>> Independent of this I wouldn’t use r...@hostname.example.org as a sender 
>> address to external recipients. This doesn’t look professional,
>
> I'll agree that sending from root@ is not best practice.  But I 
> don't know if it's unprofessional per se.

If I as a customer or business partner would receive emails which are coming 
from apa...@webserver1.company.tld then I‘d be under the impression that this 
company lost control of their infrastructure. But maybe that’s just me.

>> makes replying to those emails impossible
>
> I question the veracity of that.
>
> Including a Reply-To: and / or an MX for  to a reachable mail 
> server that is a smart host that knows how to deliver email to a host that's 
> not directly reachable seems viable to me.

I should have been more precise: Technically it’s of course possible to send 
emails to @hostfqdn, there is nothing special about this email address after 
all. However the original question in this thread was that it’s too much work 
to add and maintain TXT entries for all host FQDNs. I conclude from this that 
the same applies to adding and maintaining MX entries for all host FQDNs, let 
alone modify all emails to include Reply-To headers.

>> and in case hostname.example.org doesn’t have a public IP address it might 
>> also increase the risk that those messages are treated as spam or rejected, 
>> because they are coming from an unresolvable domain.
>
> I question the veracity of anything that balks at a valid MX via smart host 
> for a  that is in and of itself unreachble.
>
> After all, what is the effective difference in a host that's in a private 
> network using a smart host for outbound and inbound mail and a host usually 
> fully reachable / on the Internet that happens to be offline do to an 
> extended power outage caused by a winter storm?

I didn’t write that the hosts have to be reachable. Chances are that the FQDN 
of at least some of the hosts in the company network are not publicly 
resolvable, because for example they are not reachable from the internet 
anyway. That means looking up A /  / MX of hostname.example.com would yield 
NXDOMAIN. This may cause deliverability problems.

—
BR Oliver


dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de * www.dmTECH.de
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher

Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser 
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in 
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich 
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter 
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie 
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie 
hier.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM signed with parent domain

[Slavko via mailop]

Dňa 27. januára 2024 3:59:54 UTC používateľ Byung-Hee HWANG via mailop 
 napísal:

>
>Google Gmail accept such email: (source from soyeo...@gmail.com)
>https://gitlab.com/soyeomul/Gnus/-/raw/d73303d3f304a275bb6f129c0d4934ce30680629/DKIM/gmail-forwarding-header-20240126.txt

AFAIK:

+ standalone DKIM has no dependency on any email header
+ DMARC has option how strictly verify DKIM alignment

Thus, make sure proper settings and it should be ok (RFC compliant).

If some site will not accept that, it is its bug. To be sure, one can
setup separate DMARC record for subdomain with separate
rua= target defined and watch (inspect) reports for some time.

regards


-- 
Slavko
https://www.slavino.sk/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM signed with parent domain

[Byung-Hee HWANG via mailop]

Hellow Oliver,

On Fri, 2024-01-26 at 22:06 +, Gellner, Oliver via mailop wrote:
> 
> > On 25.01.2024 at 16:29 Marco Moock via mailop wrote:
> > 
> > At work we are currently deploying DKIM.
> > 
> > Do people here have experience with messages from sub.example.org
> > signed with d=example.org?
> > That way is much easier to handle for us because we have a lot of
> > domains (machines sending with r...@hostname.example.org etc.).
> > 
> > Will Google accept such messages in the future?
> > I am aware that DMARC can control that, but how will Google handle
> > it?
> 
> Unfortunately I can’t say what Google or other third parties are
> planning to do in the future. At the moment DKIM signatures from a
> parent domain will pass DMARC checks as long as DKIM alignment is in
> relaxed mode.
> 

Google Gmail accept such email: (source from soyeo...@gmail.com)
https://gitlab.com/soyeomul/Gnus/-/raw/d73303d3f304a275bb6f129c0d4934ce30680629/DKIM/gmail-forwarding-header-20240126.txt


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM signed with parent domain

[Grant Taylor via mailop]

On 1/26/24 16:06, Gellner, Oliver via mailop wrote:
Independent of this I wouldn’t use r...@hostname.example.org 
as a sender address to external recipients. This doesn’t look 
professional,


I'll agree that sending from root@ is not best practice.  But 
I don't know if it's unprofessional per se.



makes replying to those emails impossible


I question the veracity of that.

Including a Reply-To: and / or an MX for  to a reachable mail 
server that is a smart host that knows how to deliver email to a host 
that's not directly reachable seems viable to me.


and in case hostname.example.org doesn’t have a public IP address 
it might also increase the risk that those messages are treated as 
spam or rejected, because they are coming from an unresolvable domain.


I question the veracity of anything that balks at a valid MX via smart 
host for a  that is in and of itself unreachble.


After all, what is the effective difference in a host that's in a 
private network using a smart host for outbound and inbound mail and a 
host usually fully reachable / on the Internet that happens to be 
offline do to an extended power outage caused by a winter storm?


I think that there /should/ be /a/ system that is willing to handle mail 
for the system, but I don't agree that it needs to be /the/ /system/ 
/itself/.



Many MTAs provide ways to rewrite sender addresses, 


Agreed.

What I don't agree with is the actual need -> requirement to do so.

Sure, masquerading sending addresses is a useful tool in the toolbox. 
But it's not the only tool in the toolbox.


This will resolve all questions about subdomains once and for all and 
doesn’t even require any changes to the applications which create 
the messages.


I question the veracity of that for multiple reasons.  Doing this on 
each source system will likely be a lossy operation and could have 
serious negative impact on systems inside the organization that would 
otherwise utilize the masqueraded source address.  --  Obviously I think 
that there are ways to make this email work even if the internal system 
isn't reachable from the Internet.  I have other similar / more obtuse 
qualms with the idea that masquerading will resolve all questions about 
subdomains period, much less once and for all.




--
Grant. . . .


smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM signed with parent domain

[Al Iverson via mailop]

> Independent of this I wouldn’t use r...@hostname.example.org as a sender 
> address to external recipients. This doesn’t look professional, makes 
> replying to those emails impossible and in case hostname.example.org doesn’t 
> have a public IP address it might also increase the risk that those messages 
> are treated as spam or rejected, because they are coming from an unresolvable 
> domain.
> Many MTAs provide ways to rewrite sender addresses, so you could rewrite both 
> MAIL FROM and header From to someth...@example.org before delivering the 
> messages. This will resolve all questions about subdomains once and for all 
> and doesn’t even require any changes to the applications which create the 
> messages.

Agreed. Example: Depending on your unix config, you can do like I did
and create /etc/mailutils.conf with this in it:

address {
  email-domain xnnd.com;
};

So that any `echo "notification" | mail aiver...@wombatmail.com` will
come from u...@xnnd.com, not u...@server32.xnnd.com.

Cheers,
Al Iverson

-- 

Al Iverson / Deliverability blogging at https://www.spamresource.com
Subscribe to the weekly newsletter at https://ml.spamresource.com
DNS Tools: https://xnnd.com / (312) 725-0130 / Chicago (Central Time)
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM signed with parent domain

[Gellner, Oliver via mailop]

> On 25.01.2024 at 16:29 Marco Moock via mailop wrote:
>
> At work we are currently deploying DKIM.
>
> Do people here have experience with messages from sub.example.org
> signed with d=example.org?
> That way is much easier to handle for us because we have a lot of
> domains (machines sending with r...@hostname.example.org etc.).
>
> Will Google accept such messages in the future?
> I am aware that DMARC can control that, but how will Google handle it?

Unfortunately I can’t say what Google or other third parties are planning to do 
in the future. At the moment DKIM signatures from a parent domain will pass 
DMARC checks as long as DKIM alignment is in relaxed mode.

Independent of this I wouldn’t use r...@hostname.example.org as a sender 
address to external recipients. This doesn’t look professional, makes replying 
to those emails impossible and in case hostname.example.org doesn’t have a 
public IP address it might also increase the risk that those messages are 
treated as spam or rejected, because they are coming from an unresolvable 
domain.
Many MTAs provide ways to rewrite sender addresses, so you could rewrite both 
MAIL FROM and header From to someth...@example.org before delivering the 
messages. This will resolve all questions about subdomains once and for all and 
doesn’t even require any changes to the applications which create the messages.

—
BR Oliver



dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de * www.dmTECH.de
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher

Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser 
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in 
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich 
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter 
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie 
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie 
hier.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM signed with parent domain

[Byung-Hee HWANG via mailop]

Hellow Jörg,

On Fri, 2024-01-26 at 10:49 +0100, Jörg Backschues via mailop wrote:
> Am 25.01.24 um 23:58 schrieb Anne Mitchell via mailop:
> 
> > > On Jan 25, 2024, at 3:24 PM, Byron Lunz via mailop
> > >  wrote:
> > > 
> > > Or, you can use https://aboutmy.email/ - not affiliated, just a
> > > pleased user.
> > 
> > Yes, absolutely, aboutmy.email rocks!  And, is offered by a very
> > trusted source!
> 
> Sorry, but there are issues with AboutMy.email when using multiple
> DKIM 
> signatures e.g. RSA & Ed25519.
> 

As far as I know, both sites perform ed25519 verification.

*DNSWL* and *Protonmail*


And several debian developers also are using Ed25519 key.

 
Sincerley, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM signed with parent domain

[Slavko via mailop]

Dňa 26. 1. o 10:49 Jörg Backschues via mailop napísal(a):

Sorry, but there are issues with AboutMy.email when using multiple DKIM 
signatures e.g. RSA & Ed25519.


I was curious, and no, there are not issues with dual signed DKIM, both 
my signatures are in pass state, the only missing thing is, that detail 
page about signature(s) lacks the key algorithm, but that is cosmetic.


regards

--
Slavko

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM signed with parent domain

[Jörg Backschues via mailop]

Am 25.01.24 um 23:58 schrieb Anne Mitchell via mailop:


On Jan 25, 2024, at 3:24 PM, Byron Lunz via mailop  wrote:

Or, you can use https://aboutmy.email/ - not affiliated, just a pleased user.


Yes, absolutely, aboutmy.email rocks!  And, is offered by a very trusted source!


Sorry, but there are issues with AboutMy.email when using multiple DKIM 
signatures e.g. RSA & Ed25519.


--
Regards
Jörg Backschues

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM signed with parent domain

[Ilja Nedilko via mailop]

I'm also very curious about this, we will actually attempt to do this with an 
external vendor later today using Amazom SES, but all parties are unsure about 
the DKIM handling here.
In our case we will be using selector for subdomain.domain.tld, and e-mail from 
sub.subdomain.domain.tld.


Best regards,

Ilja Nedilko


From: mailop  on behalf of Marco Moock via mailop 

Sent: 25 January 2024 17:17
To: mailop 
Subject: [mailop] DKIM signed with parent domain

Hello!

At work we are currently deploying DKIM.

Do people here have experience with messages from sub.example.org
signed with d=example.org?
That way is much easier to handle for us because we have a lot of
domains (machines sending with r...@hostname.example.org etc.).

Will Google accept such messages in the future?
I am aware that DMARC can control that, but how will Google handle it?


--
kind regards
Marco

Send spam to asdfasd...@cartoonies.org
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM signed with parent domain

[Anne Mitchell via mailop]

> On Jan 25, 2024, at 3:24 PM, Byron Lunz via mailop  wrote:
> 
> Or, you can use https://aboutmy.email/ - not affiliated, just a pleased user.

Yes, absolutely, aboutmy.email rocks!  And, is offered by a very trusted source!

Anne

--- 
Anne P. Mitchell, Esq.
Email Law & Policy Attorney
CEO Institute for Social Internet Public Policy (ISIPP)
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal email marketing law)
Board of Directors, Denver Internet Exchange
Dean Emeritus, Cyberlaw & Cybersecurity, Lincoln Law School
Prof. Emeritus, Lincoln Law School
Chair Emeritus, Asilomar Microcomputer Workshop
Counsel Emeritus, eMail Abuse Prevention System (MAPS)


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM signed with parent domain

[Byron Lunz via mailop]

Or, you can use https://aboutmy.email/ - not affiliated, just a pleased
user.


On Thu, Jan 25, 2024 at 11:49 AM Randolf Richardson, Postmaster via mailop <
mailop@mailop.org> wrote:

> Feel free to contact me off-list if you'd like to send some test
> messages -- I can send back the results of the DKIM and DMARC checks.
>
> My eMail address is:  postmas...@inter-corporate.com
>
> > Hello!
> >
> > At work we are currently deploying DKIM.
> >
> > Do people here have experience with messages from sub.example.org
> > signed with d=example.org?
> > That way is much easier to handle for us because we have a lot of
> > domains (machines sending with r...@hostname.example.org etc.).
> >
> > Will Google accept such messages in the future?
> > I am aware that DMARC can control that, but how will Google handle it?
> >
> >
> > --
> > kind regards
> > Marco
> >
> > Send spam to asdfasd...@cartoonies.org
> > ___
> > mailop mailing list
> > mailop@mailop.org
> > https://list.mailop.org/listinfo/mailop
>
>
> --
> Postmaster - postmas...@inter-corporate.com
> Randolf Richardson, CNA - rand...@inter-corporate.com
> Inter-Corporate Computer & Network Services, Inc.
> Vancouver, British Columbia, Canada
> https://www.inter-corporate.com/
>
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM signed with parent domain

[Randolf Richardson, Postmaster via mailop]

Feel free to contact me off-list if you'd like to send some test 
messages -- I can send back the results of the DKIM and DMARC checks.

My eMail address is:  postmas...@inter-corporate.com

> Hello!
> 
> At work we are currently deploying DKIM.
> 
> Do people here have experience with messages from sub.example.org
> signed with d=example.org?
> That way is much easier to handle for us because we have a lot of
> domains (machines sending with r...@hostname.example.org etc.).
> 
> Will Google accept such messages in the future?
> I am aware that DMARC can control that, but how will Google handle it?
> 
> 
> -- 
> kind regards
> Marco
> 
> Send spam to asdfasd...@cartoonies.org
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop


-- 
Postmaster - postmas...@inter-corporate.com
Randolf Richardson, CNA - rand...@inter-corporate.com
Inter-Corporate Computer & Network Services, Inc.
Vancouver, British Columbia, Canada
https://www.inter-corporate.com/


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DKIM signed with parent domain

[Byung-Hee HWANG via mailop]

Hellow Marco,

On Thu, 2024-01-25 at 16:17 +0100, Marco Moock via mailop wrote:
> Hello!
> 
> At work we are currently deploying DKIM.
> 
> Do people here have experience with messages from sub.example.org
> signed with d=example.org?
> That way is much easier to handle for us because we have a lot of
> domains (machines sending with r...@hostname.example.org etc.).
> 
> Will Google accept such messages in the future?
> I am aware that DMARC can control that, but how will Google handle
> it?
> 

IMHO, there is no problem. You see here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043539


Sincerely, Byung-Hee

-- 
^고맙습니다 _布德天下_ 감사합니다_^))//
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] DKIM signed with parent domain

[Marco Moock via mailop]

Hello!

At work we are currently deploying DKIM.

Do people here have experience with messages from sub.example.org
signed with d=example.org?
That way is much easier to handle for us because we have a lot of
domains (machines sending with r...@hostname.example.org etc.).

Will Google accept such messages in the future?
I am aware that DMARC can control that, but how will Google handle it?


-- 
kind regards
Marco

Send spam to asdfasd...@cartoonies.org
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop