[Top] [All Lists]

Re: [ietf-smtp] broken signatures, was Curious

2020-07-22 02:38:14

A better (but annoying) reason is there are a smattering of servers which
reject messages
based on broken DKIM signatures, against the rfc.

This does not have to be against the RFC.

An open source software for doing DKIM, that was last released (tagged/a tarball was created) in May 2015, got a bugfix in October 2015. Whoever uses the released version, does for some emails the DKIM calculations wrong. This gets evident, after evaluating a lot of aggregate reports on a semi-busy server. Since the users of the software do not understand DKIM/do not evaluate the aggregate reports for their own servers, their keep running the unpatched software. So some correct DKIM headers are validated as wrong, and bad DKIM headers are inserted. When DMARC says to reject messages that do not validate DKIM, and either the recipient considers valid DKIM as invalid, or the sender inserts invalid DKIM, then advancing from DKIM to DMARC/ARC does not make sense.

SMTP-rejecting a suspicious message is much better that delivering the message to a recipient so, that the recipient is likely to overlook it.

To sum up, if a message is rejected because
- the DKIM was broken, so the rejection is against the RFC (no DMARC involved), or - the DKIM was correct, but the DKIM evaluation software on the recipient site has bug in the calculation algorithm and the sender published DMARC reject, or - the DKIM was inserted by software that does the signing wrongly, the sender publishes DMARC reject, and the recipient applies the RFCs correctly

has all the same consequences.

Finding and resolving DKIM bugs, not limited to DNS troubles, is essential to bring DKIM/ARC/DMARC forward. My opinion is that there is no willingness in email operators to assist each other on this. Cooperation on the matter means, more or less, sending individual failure reports (otherwise one is not going to acknowledge, that s/he uses DKIM-software with bugs).


----- Message from Brandon Long 
<blong=40google(_dot_)com(_at_)dmarc(_dot_)ietf(_dot_)org> ---------
   Date: Tue, 21 Jul 2020 13:35:29 -0700
   From: Brandon Long <blong=40google(_dot_)com(_at_)dmarc(_dot_)ietf(_dot_)org>
Subject: Re: [ietf-smtp] broken signatures, was Curious
     To: John Levine <johnl(_at_)taugh(_dot_)com>
     Cc: ietf-smtp <ietf-smtp(_at_)ietf(_dot_)org>

On Tue, Jul 21, 2020 at 1:19 PM John Levine <johnl(_at_)taugh(_dot_)com> wrote:

In article 
you write:
>As useless mail headers do make emails heavier, I am in favour of
>removing DKIM-Signature headers, that are known to be broken, e.g.
>because the current host has modified (and resubmitted) the message.

The amount of bandwidth used by e-mail is a rounding error of the
Internet's total, which is mostly video these dayts, and the amount
used by broken headers is a rounding error on that rounding error.

Look at the headers of the mail in your inbox, particularly mail from
large providers, and you'll find megabytes of headers that nobody is
ever likely to look at or use.  This battle was over decades ago.

A better (but annoying) reason is there are a smattering of servers which
reject messages
based on broken DKIM signatures, against the rfc.


----- End message from Brandon Long 
<blong=40google(_dot_)com(_at_)dmarc(_dot_)ietf(_dot_)org> -----

ietf-smtp mailing list

<Prev in Thread] Current Thread [Next in Thread>