From: RW <rwmailli...@googlemail.com> >On Fri, 5 May 2017 14:51:32 +0000 >David Jones wrote:
>> >I know. I do not want to validate the envelope from with DKIM. I >> >just want to know if the mail was DKIM-VALID signed by the DOMAIN >> >used in the envelopefrom. >> >> >So the only thing I want with the envelop from is to extract the >> >domain and test if the mail was DKIM signed (and valid) by that >> >domain. >> >> >This tells me the envelope from is not some random spoofed address, >> >but actually controlled by someone who handled the e-mail before it >> >arrived at our mta. >> >> This actually would be a very useful rule/logic to add to SA: >> >> https://blog.returnpath.com/why-passing-and-aligning-both-spf-and-dkim-is-key-to-email-deliverability/ >So what would be the point in running a separate DKIM test against the >envelope if you are looking for alignment. I don't think this would be a separate DKIM test necessarily. It should be a combination of SPF_PASS + DKIM_VALID_AU + the envelope-from matches the DKIM-signed domain. This is basically perfect DMARC alignment where the domain has "p=reject" and DMARC would pass meaning the domain was not spoofed. >> When both align, it should be a very good candidate for whitelist_auth >> based on the sender domain reputation. >If it passes DKIM and the domain has a good reputation then what >difference would alignment make. Proper security in any context checks both authorization and authentication. This is SPF and DKIM respectively in the email filtering context. Spammers can get control of a compromised account and send a valid DKIM-signed email through that email server that would pass SPF with an envelope-from of example.com and DKIM signature of example.net (or some domain they had DNS control of like paypa1.com). If it passed DKIM_VALID_AU then the visible From: address in the recipient's mail client would show example.net or paypa1.com. Would I trust example.com or example.net in the above scenario? Which would be added to whitelist_auth? The authorized email was from example.com but the authenticated email was from example.net. The DMARC standard says that either SPF or DKIM has to pass for a DMARC pass based on that link above. The point of that link is to align both for best delivery results. I am just saying that it would be nice if SA had a rule that hit when both matched which is perfect DMARC alignment. Today I am able to get close to this using OpenDMARC to add headers then with custom rules to add DMARC_NONE, DMARC_PASS, or DMARC_FAIL. I think I would have to write a simple SA plugin to compare the envelope-from with the DKIM signature domain to see if they matched then I could use a meta rule to glue all of this together. Dave