Re: Question on DKIM signature
Raf
Thank you for providing the details.
That make things clear.
Regards.
On 2021/8/16 6:26 下午, raf wrote:
On Mon, Aug 16, 2021 at 05:21:15PM +0800, Ken N wrote:
I was reading this blog posting:
https://www.alexblackie.com/articles/email-authenticity-dkim-spf-dmarc/
But I am confused that, what content should DKIM signature for?
The message body or headers? what headers should be signed?
Thank you.
Hi Ken,
DKIM is defined in RFC 6376:
https://tools.ietf.org/html/rfc6376 (Internet Standard)
DKIM signatures should include the entire body, and
some headers. The RFC only requires that the From:
header be included, but it lists some "common examples"
of headers that get included (Section 5.4.1):
From, Reply-To, Subject, Date, To, Cc,
Resent-Date, Resent-From, Resent-To, Resent-Cc,
In-Reply-To, References,
List-Id, List-Help, List-Unsubscribe, List-Subscribe,
List-Post, List-Owner, List-Archive
I think this is the default list used by OpenDKIM.
The RFC also suggest others such as:
Content-*
But that's mainly if only some, but not all, of the
body is signed. That's not recommended, but it's been
known to happen.
In addition to that, it's a good idea to "oversign"
some headers which is a mechanism to make sure that
nobody maliciously adds an additional instance of a
signed header. Without oversigning, an extra instance
of a header wouldn't invalidate a DKIM signature, but
it might be visible to the recipient, and therefore be
misleading. Oversigning makes sure that that won't
happen without invalidating the DKIM signature and
getting noticed.
Usually, the only header that is oversigned is:
From
Because it's the most important.
But there's one school of thought that says that all
headers that are visible to the user should be
oversigned, e.g.:
From, To, Cc, Subject, Date
See here for that school of thought:
Breaking DKIM - on Purpose and by Chance
https://noxxi.de/research/breaking-dkim-on-purpose-and-by-chance.html
And see here for a counterargument:
Breaking DKIM? Or simply misunderstanding how it works in practice
https://www.valimail.com/blog/breaking-dkim-or-simply-misunderstanding-how-it-works-in-practice/
OpenDKIM at least always checks for multiple occurrences
of any header that should only appear once. Perhaps all
DKIM validators do that these days. Let's hope so.
Also bear in mind that SPF is fragile ("broken" by all
mail forwarding and some mailing lists), DKIM is as well
but less so (broken by some mailing lists), and DMARC
is very fragile (broken by the above and when it
decides that the above don't apply).
And so they needed to invent another layer on top of it
all: Authenticated Received Chain (ARC):
https://tools.ietf.org/html/rfc8617 (Experimental)
I think at this stage, it's safe to say that it's
getting out of hand. :-)
I suppose there's no problem in computer science that
can't be solved by adding another layer of cryptographic
indirection. :-)
cheers,
raf
Question on DKIM signature
I was reading this blog posting: https://www.alexblackie.com/articles/email-authenticity-dkim-spf-dmarc/ But I am confused that, what content should DKIM signature for? The message body or headers? what headers should be signed? Thank you.
Re: How to force remote deliver agent to send messages via SSL only
does ubuntu linux have the keystone chain management? thanks. On 2021/8/16 2:03 上午, Ralph Seichter wrote: One can import self-signed certs and/or certificate authority data directly into TB's own keystore, but importing into the OS keystore (e.g. the system keychain for macOS) is usually more convenient.
Re: will this break DMARC?
Yes I agree. most google groups add the additional info at the end of each message, that makes DKIM invalid. since google groups is a forwarding service who does a valid SRS, SPF has no contribution to the DMARC validation. So, almost every message forwarded by google groups has DMARC failed. How google handle it? It just replace the From: in header to google's list name, but keep the real sender email in Reply to: header. For instance, I sent an email from x...@mail.ru to google groups, google delivery it to every member's mailbox. the DMARC will fail in this case. So, Google just replace x...@mail.ru to x...@googlegroups.com in the header, and try delivery the message then. thanks. On 2021/8/14 7:10 上午, raf wrote: Lots of mailing lists add a bit of list-related text at the end of each message (even though the same information is in List- headers as well). That renders DKIM signatures invalid. Perhaps the dovecot list does that. It doesn't seem to, looking at the archives. -- Ken N https://blog.hoxblue.com/
Re: will this break DMARC?
I have pasted @raf's answer to my blog posting. copyright @ralf certainly. thank you. https://blog.hoxblue.com/will-a-forwarded-message-break-the-dmarc/ regards. On 2021/8/13 1:03 下午, raf wrote: Maybe. It depends on lots of stuff. A DMARC check passes if either SPF or DKIM pass, but (for DMARC purposes), SPF only applies (and therefore can only pass) when the From: domain matches the envelope sender domain, and (for DMARC purposes) DKIM only applies (and therefore can only pass) when the From: domain matches the DKIM signing domain (d=). If pobox.com uses its own envelope sender when forwarding the email, then mail.ru's SPF doesn't apply (because it wouldn't be the envelope sender domain anymore). Instead, pobox.com's SPF applies (because it's now the envelope sender domain). But pobox.com's SPF doesn't apply to mail.ru's DMARC check. So SPF wouldn't contribute to a DMARC check for mail.ru. If pobox.com uses the original mail.ru envelope sender then mail.ru's SPF will apply and it will fail (because pobox.com won't be authorized by mail.ru's SPF). So it won't contribute to a DMARC check for mail.ru either. So, you can't count on SPF to get it through a DMARC check for mail.ru. The only other possibility is if the email was DKIM-signed by mail.ru as well. If it wasn't, then DMARC fails. If it was, and the email wasn't changed en route in any way that invalidated the DKIM signature, then DMARC passes. If the mail was modified too much, then DMARC fails, but if pobox.com is just forwarding, then it shouldn't have modified it in a way that matters to DKIM. And the DKIM signature has to have been signed with mail.ru's DKIM key. Any other signing domain doesn't apply for DMARC purposes. So, if it's DKIM-signed by mail.ru, and pobox.com just forwards it, and does nothing else other than adding headers along the way, then it'll probably pass a DMARC check for mail.ru. Otherwise, it won't. Having said all that, what gmail does with it upon arrival is entirely up to gmail.:-) -- Ken N https://lrblogs.com/
delivery rules question
Hello Given my domain has this two MXes: example.us. 299 IN MX 5 mx-1.example.com. example.us. 299 IN MX 5 mx-2.example.com. Do you think if I can setup a rule to tell any peer MTA that: Messages for use...@example.us will go to mx-1.example.com. Messages for use...@example.us will go to mx-2.example.com. Thank you. -- Ken N https://lrblogs.com/
Re: will this break DMARC?
thank you very much @raf. I have got your idea. On 2021/8/13 1:03 下午, raf wrote: On Fri, Aug 13, 2021 at 10:44:31AM +0800, Ken N wrote: I sent an email from mail.ru to pobox.com, pobox forwarded it to gmail. This is DMARC setting of mail.ru: _dmarc.mail.ru. 164 IN TXT "v=DMARC1;p=reject;rua=mailto:d...@rua.agari.com,mai; "lto:dmarc_...@corp.mail.ru" (please notice p=reject setting) When gmail receive the forwarded email from pobox, will it break DMARC? since the message header showing sender is x...@mail.ru, but the SMTP talking IP is pobox's IP address. Thank you. -- Ken N https://lrblogs.com/ Maybe. It depends on lots of stuff. A DMARC check passes if either SPF or DKIM pass, but (for DMARC purposes), SPF only applies (and therefore can only pass) when the From: domain matches the envelope sender domain, and (for DMARC purposes) DKIM only applies (and therefore can only pass) when the From: domain matches the DKIM signing domain (d=). If pobox.com uses its own envelope sender when forwarding the email, then mail.ru's SPF doesn't apply (because it wouldn't be the envelope sender domain anymore). Instead, pobox.com's SPF applies (because it's now the envelope sender domain). But pobox.com's SPF doesn't apply to mail.ru's DMARC check. So SPF wouldn't contribute to a DMARC check for mail.ru. If pobox.com uses the original mail.ru envelope sender then mail.ru's SPF will apply and it will fail (because pobox.com won't be authorized by mail.ru's SPF). So it won't contribute to a DMARC check for mail.ru either. So, you can't count on SPF to get it through a DMARC check for mail.ru. The only other possibility is if the email was DKIM-signed by mail.ru as well. If it wasn't, then DMARC fails. If it was, and the email wasn't changed en route in any way that invalidated the DKIM signature, then DMARC passes. If the mail was modified too much, then DMARC fails, but if pobox.com is just forwarding, then it shouldn't have modified it in a way that matters to DKIM. And the DKIM signature has to have been signed with mail.ru's DKIM key. Any other signing domain doesn't apply for DMARC purposes. So, if it's DKIM-signed by mail.ru, and pobox.com just forwards it, and does nothing else other than adding headers along the way, then it'll probably pass a DMARC check for mail.ru. Otherwise, it won't. Having said all that, what gmail does with it upon arrival is entirely up to gmail. :-) cheers, raf -- Ken N https://lrblogs.com/
Re: will this break DMARC?
Hello When gmail see this forwarded email from pobox.com, it won't break SPF because Pobox does a SRS. But I doubt it will break DMARC for mail.ru since: 1) the from address in message header is x...@mail.ru 2) the sender IP addr (by pobox) is not owned by mail.ru so gmail maybe reject this message due to DMARC setting. Am I right? Thank you On 2021/8/13 12:02 下午, Jeremy T. Bouse wrote: The DMARC record itself looks fine and valid; however, the issue is going to be whether your SPF and DKIM records alignment. I suspect the issue will be in the alignment and the OP didn't provide those details to be able to evaluate. -- Ken N https://lrblogs.com/
will this break DMARC?
I sent an email from mail.ru to pobox.com, pobox forwarded it to gmail. This is DMARC setting of mail.ru: _dmarc.mail.ru. 164 IN TXT "v=DMARC1;p=reject;rua=mailto:d...@rua.agari.com,mai; "lto:dmarc_...@corp.mail.ru" (please notice p=reject setting) When gmail receive the forwarded email from pobox, will it break DMARC? since the message header showing sender is x...@mail.ru, but the SMTP talking IP is pobox's IP address. Thank you. -- Ken N https://lrblogs.com/
