Re: accept email if pass SPF or DKIM

[Dominic Raferd]

On 11 January 2018 at 03:24, li...@lazygranch.com  wrote:
> On Wed, 10 Jan 2018 21:59:26 -0500
>> On 1/10/2018 9:53 PM, li...@lazygranch.com wrote:

> I help with a few people I know that set up their own email to pass
> SPF and DKIM, but realistically no major corporation is going to give a
> sample of fecal matter to my opinion, presuming I could ever find the
> person in charge.
>
> Google is of the opinion that all you need is DKIM. Seems to me they
> are correct, but we have to work with whatever the sysop wants to
> implement. (Google provides SPF for their cloud servers as a means to
> get the IP space. I see hacking from that space of course, so the list
> comes in handy for blocking.)
>
> Maybe there is a way to check DKIM first, then skip the SPF check. The
> number of servers that only do SPF but not DKIM is small. I have one
> contact whose email employs neither SPF or DKIM. That is plus.net. In
> the spirit of making the world a better place, I will contact them and
> see how far I get.
>

Why reinvent the wheel? As Scott has said, this is what DMARC is for.
Google follows DMARC (although it doesn't implement it for outgoing
mails). DMARC allows senders to specify what receivers should do with
emails that purport to be from their domain (looking, critically, at
the 'From:' header) and which fail SPF *and* DKIM.

openDMARC uses headers added by openDKIM and can also look at headers
added by a local SPF checker (or perform its own SPF checking). A
perfect DKIM implementation of email for a domain makes SPF redundant
but (a) having an SPF record may improve 'reputation' and (b) a few
servers may (very unwisely IMO) reject emails based purely on SPF.
But IMO both DKIM and SPF are useless in practice without alignment,
because they test against (envelope) parameters which aren't seen by
most recipients.

I guess what you are suggesting is openDMARC with an aggressive
'policy override', where a presumed DMARC 'quarantine' (or if you
prefer 'reject') policy is implemented for all incoming emails that
have a DKIM header or which have a connected SPF policy, even if
sender's DNS has not specified such a policy in their DMARC DNS entry
or lacks a DMARC policy. On top of this you might need to whitelist
emails from mailing lists, which create problems for DMARC (or
vice-versa, depending on your point of view). This would require
patching openDMARC.

An alternative if you use Thunderbird is to get the 'DKIM Verifier'
add-on, this uses a background colo(u)r on the 'From:' header to
indicate DKIM pass/fail and, critically, alignment. Pretty cool.

Re: accept email if pass SPF or DKIM

[li...@lazygranch.com]

On Wed, 10 Jan 2018 21:59:26 -0500
"Kevin A. McGrail"  wrote:

> On 1/10/2018 9:53 PM, li...@lazygranch.com wrote:
> > RTFMing, I see that both opendkim and python-policyd-spf have
> > whitelisting capabilities (especially python-policyd-spf). But for
> > the most part, my legitimate incoming email passes DKIM or SPF, but
> > often not both. What I would like to do is accept email that passes
> > either DKIM or SPF, but the milters are not connected in anyway
> > that I can see. What I'm trying to avoid is setting up whitelists
> > for each domain based on which method of identity the sysop decided
> > to implement.  
> That sounds like a problematic approach to me.
> 
> If an administrator of a domain sets up DNS for SPF records and then 
> fails, it should fail.
> If an administrator of a domain sets up DNS for DKIM records and that 
> fails, it should fail.
> 
> If an email is failing either, the administrator of the sending
> domain fails either, that indicates a problem.  Assuming your system
> isn't breaking DKIM, the sender really should be notified to resolve
> the issue.  Whitelisting would really open you up to problems.
> 
> Regards,
> KAM

I help with a few people I know that set up their own email to pass
SPF and DKIM, but realistically no major corporation is going to give a
sample of fecal matter to my opinion, presuming I could ever find the
person in charge.

Google is of the opinion that all you need is DKIM. Seems to me they
are correct, but we have to work with whatever the sysop wants to
implement. (Google provides SPF for their cloud servers as a means to
get the IP space. I see hacking from that space of course, so the list
comes in handy for blocking.)

Maybe there is a way to check DKIM first, then skip the SPF check. The
number of servers that only do SPF but not DKIM is small. I have one
contact whose email employs neither SPF or DKIM. That is plus.net. In
the spirit of making the world a better place, I will contact them and
see how far I get. 

Re: accept email if pass SPF or DKIM

[Scott Kitterman]

On January 11, 2018 2:53:10 AM UTC, "li...@lazygranch.com" 
 wrote:
>RTFMing, I see that both opendkim and python-policyd-spf have
>whitelisting capabilities (especially python-policyd-spf). But for the
>most part, my legitimate incoming email passes DKIM or SPF, but often
>not both. What I would like to do is accept email that passes either
>DKIM or SPF, but the milters are not connected in anyway that I can
>see. What I'm trying to avoid is setting up whitelists for each domain
>based on which method of identity the sysop decided to implement.

This is approximately what DMARC does:

https://dmarc.org/

Scott K

Re: accept email if pass SPF or DKIM

[Kevin A. McGrail]

On 1/10/2018 9:53 PM, li...@lazygranch.com wrote:

RTFMing, I see that both opendkim and python-policyd-spf have
whitelisting capabilities (especially python-policyd-spf). But for the
most part, my legitimate incoming email passes DKIM or SPF, but often
not both. What I would like to do is accept email that passes either
DKIM or SPF, but the milters are not connected in anyway that I can
see. What I'm trying to avoid is setting up whitelists for each domain
based on which method of identity the sysop decided to implement.

That sounds like a problematic approach to me.

If an administrator of a domain sets up DNS for SPF records and then 
fails, it should fail.
If an administrator of a domain sets up DNS for DKIM records and that 
fails, it should fail.


If an email is failing either, the administrator of the sending domain 
fails either, that indicates a problem.  Assuming your system isn't 
breaking DKIM, the sender really should be notified to resolve the 
issue.  Whitelisting would really open you up to problems.


Regards,
KAM

accept email if pass SPF or DKIM

[li...@lazygranch.com]

RTFMing, I see that both opendkim and python-policyd-spf have
whitelisting capabilities (especially python-policyd-spf). But for the
most part, my legitimate incoming email passes DKIM or SPF, but often
not both. What I would like to do is accept email that passes either
DKIM or SPF, but the milters are not connected in anyway that I can
see. What I'm trying to avoid is setting up whitelists for each domain
based on which method of identity the sysop decided to implement.