Re: DKIM absence
On 5/2/2023 1:02 PM, Bill Cole wrote: That is a terrible idea. There are perfectly good reasons for a domain to only sign some mail. Justifying a +3 score on something which is only wrong *IN YOUR HEAD* is hard. ADSP and DMARC both exist apart from DKIM. It is an entirely valid choice to NOT use them. Yes, Bill is a voice of reason. There ARE good reasons to only sign some mail. Example use case: - I use SPF/DMARC everywhere. Emails from our servers do not have DKIM signatures. All is good and management is easy. However, I have several clients that use ESP contact managers, like ConstantContact. Constant Contact provides a couple of CNAME records to use for their signing records. All is good and management continues to be easy. Everybody is happy. Deliverability is 100%. - Validate a DKIM record IF it exists in an Email. Honor DMARC policies as you wish. But IMHO, it is probably not a good idea to go looking for trouble that doesn't exist. -- Jared Hall
Re: DKIM absence
Matus UHLAR - fantomas skrev den 2023-05-02 19:25: Greg Troxel skrev den 2023-05-02 18:29: DKIM_MISSING Domain has DKIM records but message has no DKIM signature On 02.05.23 18:59, Benny Pedersen wrote: there is no _domainkeys in dns sorry, it's _domainkey.example.com example.com have rfc 7505 to be picky (nullMX) with maybe +3 to start, as a sort-of-soft-impliced-DMARC. yes _dmarc is in dns (surely this is doable in a plugin; it's not conceptually hard) ha its simply as winning in lotto :=) funny, looks like Mail::SpamAssassin::Plugin::AskDNS can check for NOERROR: forget it as Bill say Lastly, the filtering parameter can be a comma-separated list of DNS status codes (rcode), enclosed in square brackets. Rcodes can be represented either by their numeric decimal values (0=NOERROR, 3=NXDOMAIN, ...), or their names. See https://www.iana.org/assignments/dns-parameters for the list of names. When testing for a rcode where rcode is nonzero, a RR type parameter is ignored as a filter, as there is typically no answer section in a DNS reply when rcode indicates an error. Example: [NXDOMAIN], or [FormErr,ServFail,4,5] . seeing forward to see results from it
Re: DKIM absence
Greg Troxel skrev den 2023-05-02 18:29: DKIM_MISSINGDomain has DKIM records but message has no DKIM signature On 02.05.23 18:59, Benny Pedersen wrote: there is no _domainkeys in dns sorry, it's _domainkey.example.com with maybe +3 to start, as a sort-of-soft-impliced-DMARC. yes _dmarc is in dns (surely this is doable in a plugin; it's not conceptually hard) ha its simply as winning in lotto :=) funny, looks like Mail::SpamAssassin::Plugin::AskDNS can check for NOERROR: Lastly, the filtering parameter can be a comma-separated list of DNS status codes (rcode), enclosed in square brackets. Rcodes can be represented either by their numeric decimal values (0=NOERROR, 3=NXDOMAIN, ...), or their names. See https://www.iana.org/assignments/dns-parameters for the list of names. When testing for a rcode where rcode is nonzero, a RR type parameter is ignored as a filter, as there is typically no answer section in a DNS reply when rcode indicates an error. Example: [NXDOMAIN], or [FormErr,ServFail,4,5] . -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody
Re: DKIM absence
On 2023-05-02 at 12:29:53 UTC-0400 (Tue, 02 May 2023 12:29:53 -0400) Greg Troxel is rumored to have said: Matus UHLAR - fantomas writes: On 02.05.23 08:37, Thomas Johnson wrote: If there’s no dkim signature, you can’t check for dkim records in dns. The selector for a dkim signature is arbitrary - there’s no one dns lookup you can do to see all possible dkim records for a domain. a trick: if _domainkeys.example.com exists (returns anything but NXDOMAIN), we may assume that at least DKIM records exist. I just have no idea how to test this in SA (at least not within rule). I think that's a great idea, and we could add DKIM_MISSINGDomain has DKIM records but message has no DKIM signature with maybe +3 to start, as a sort-of-soft-impliced-DMARC. That is a terrible idea. There are perfectly good reasons for a domain to only sign some mail. Justifying a +3 score on something which is only wrong *IN YOUR HEAD* is hard. ADSP and DMARC both exist apart from DKIM. It is an entirely valid choice to NOT use them. (surely this is doable in a plugin; it's not conceptually hard) Feel free to implement it on your own and report back the results. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: DKIM absence
Greg Troxel skrev den 2023-05-02 18:29: DKIM_MISSINGDomain has DKIM records but message has no DKIM signature no there is no _domainkeys in dns with maybe +3 to start, as a sort-of-soft-impliced-DMARC. yes _dmarc is in dns (surely this is doable in a plugin; it's not conceptually hard) ha its simply as winning in lotto :=)
Re: DKIM absence
Matus UHLAR - fantomas writes: > On 02.05.23 08:37, Thomas Johnson wrote: >> If there’s no dkim signature, you can’t check for dkim records in >> dns. The selector for a dkim signature is arbitrary - there’s no >> one dns lookup you can do to see all possible dkim records for a >> domain. > > a trick: if _domainkeys.example.com exists (returns anything but > NXDOMAIN), we may assume that at least DKIM records exist. > > I just have no idea how to test this in SA (at least not within rule). I think that's a great idea, and we could add DKIM_MISSINGDomain has DKIM records but message has no DKIM signature with maybe +3 to start, as a sort-of-soft-impliced-DMARC. (surely this is doable in a plugin; it's not conceptually hard)
Re: DKIM absence
> Right, because you need to grovel out the selector from the > DKIM-Signature line. Groan. > > That you can't mark a domain as requiring DKIM at the top-level seems > to be a design flaw in the protocol. Yes, but I think the way that is fixed is spelled DMARC.
Re: DKIM absence
On May 2, 2023, at 8:27 AM, Philip Prindeville wrote: Is there a way to add scoring that says, "If the sending domain has DKIM records, but there's no DKIM signature on this message, then attach a high score to it?" We seem to attach negative scores when DKIM is present and valid, but what about the opposite direction? If it's absent, but it shouldn't be? On 02.05.23 08:37, Thomas Johnson wrote: If there’s no dkim signature, you can’t check for dkim records in dns. The selector for a dkim signature is arbitrary - there’s no one dns lookup you can do to see all possible dkim records for a domain. a trick: if _domainkeys.example.com exists (returns anything but NXDOMAIN), we may assume that at least DKIM records exist. I just have no idea how to test this in SA (at least not within rule). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization.
Re: DKIM absence
> On May 2, 2023, at 9:37 AM, Thomas Johnson wrote: > > >> On May 2, 2023, at 8:27 AM, Philip Prindeville >> wrote: >> >> Is there a way to add scoring that says, "If the sending domain has DKIM >> records, but there's no DKIM signature on this message, then attach a high >> score to it?" >> >> We seem to attach negative scores when DKIM is present and valid, but what >> about the opposite direction? >> >> If it's absent, but it shouldn't be? >> > > > If there’s no dkim signature, you can’t check for dkim records in dns. The > selector for a dkim signature is arbitrary - there’s no one dns lookup you > can do to see all possible dkim records for a domain. > > You can use ADSP - it’s old and I don’t know how many domains have ADSP > records these days, but it lets a domain specify that all mail must be dkim > signed to be considered valid. > > We tell our customers to add an ADSP record, and we use it when checking > their incoming mail to help identify forgeries. I don’t know that it helps > much with mail from non-customers, though. I’ll have to check and see how > often our rules hit for that. > Right, because you need to grovel out the selector from the DKIM-Signature line. Groan. That you can't mark a domain as requiring DKIM at the top-level seems to be a design flaw in the protocol.
Re: DKIM absence
> On May 2, 2023, at 8:27 AM, Philip Prindeville > wrote: > > Is there a way to add scoring that says, "If the sending domain has DKIM > records, but there's no DKIM signature on this message, then attach a high > score to it?" > > We seem to attach negative scores when DKIM is present and valid, but what > about the opposite direction? > > If it's absent, but it shouldn't be? > If there’s no dkim signature, you can’t check for dkim records in dns. The selector for a dkim signature is arbitrary - there’s no one dns lookup you can do to see all possible dkim records for a domain. You can use ADSP - it’s old and I don’t know how many domains have ADSP records these days, but it lets a domain specify that all mail must be dkim signed to be considered valid. We tell our customers to add an ADSP record, and we use it when checking their incoming mail to help identify forgeries. I don’t know that it helps much with mail from non-customers, though. I’ll have to check and see how often our rules hit for that.
Re: DKIM absence
Philip Prindeville skrev den 2023-05-02 17:26: Is there a way to add scoring that says, "If the sending domain has DKIM records, but there's no DKIM signature on this message, then attach a high score to it?" We seem to attach negative scores when DKIM is present and valid, but what about the opposite direction? If it's absent, but it shouldn't be? sure just make a dkim test for specifik dkim domain, then add high score if matched this require dkim pass, eq it does not work for none test it in sandbox
