Since its inception, this has been the "Achilles' heel" of DKIM
without a Signature Policy Authorization framework. i.e. authorizing
3rd party mail processors, such as a list manager/server or could
bring the integrity and/or resign the mail as a 3rd party.
The IETF abandoned the proposed standard ADSP RFC (and hence any
add-on extension work like ATPS) and replaced it with an informative
DMARC RFC described as a "Super ADSP" without resolving the 3rd party
authorization problem.
ATPS was the original proposed standard to authorize the first party
signature and combined with ADSP extension ATPS, it covered the Third
Party Signature authorization.
ADSP/ATPS actually works very well. Its been in production for a
number of years. I have "ietf.org" as a 3rd party signer assigned to
my ATPS records in DNS. Supportive receivers can then see that I
authorize ietf.org to sign my IETF submissions as my receivers do when
I get a copy. My ADSP record for isdg.net is:
dkim=all; atps=y;
asl=ietf.org,beta.winserver.com,santronics.com,isdg.net,winserver.com,megabytecof
fee.com,mapurdy.com.au,mipassoc.org,gmail.com,googlegroups.com;"
The asl list contains my small list of authorized list servers plus
other 3rd party associates. For the larger "registered" list, the
"atps=" says to lookup the ATPS record the signer domain in the
author's zone. It works very well. This wizards helps illustrates
how records are created updated for the DMARC record:
http://www.winserver.com/public/wcdmarc/default.wct
However, this solution requires a "Registration Of 3rd party Domains"
solution, i.e. you have to learn/teach your personal network of email
domains and registered them somehow for others to lookup query and
many feel this won't scale. It won't for some, it will for others.
Now there is the ARC effort that could help resolve the problem, iff
everyone supports it. IMO, it appears complex (doc is very verbose). I
believe it has RFC5222 overhead related code changes. If you have an
API ready for it, it should help. While receivers still need to
support it, not all receivers use the same API base code.
I was not happy when a big investment was lost when the IETF abandoned
(incorrect in my opinion) the ADSP work in particular when DMARC
effectively replaced ADSP, literally described as a "Super ADSP" and
it didn't offer any 3rd party policy support whatsoever. So I am not
too eager to jump on more IETF DKIM, including ARC, related work.
DMARC is not complete. Its not even a proposed standard. Lots of work
still needs to be done but I'm sure that RFC status can change when
desired by the key cogs. All I would like to see is for DMARC to
begin offering 3rd party policy models with known solutions that
include simple DNS lookup like ADSP/ATPS offered. It shouldn't be
limited to just ARC.
That said, the only other current way to resolve this with DMARC is to
relax your policy to "p=none"
By making it "p=reject" all DMARC compatible receivers are designed to
reject it when its signed by 3rd party signers and/or the original
mail integrity, hence 1st party signature, is broken.
--
HLS
On 11/2/2016 12:00 PM, Cullen Jennings wrote:
So if someone send a email with a bad signature to an IETF list from a domain
that has a reject policy, and the IETF server forwards it to my email email
provider, my email provider rejects it. Now the IETF email server counts that
as a bounce. Too many bounces in a row and the IETF server unsubscribes me from
the list.
This does not seem OK that anyone can trivially send some SPAM and get me
unsubscribed.
What's the right advice on how the IETF server should be run?
Now to a more detailed problem - Jana sends lots of email to the quic list. I
don't get any of them. It appears that my email server (run by rackspace)
rejects them with an
Diagnostic-Code: smtp; 550 5.7.1 Email rejected per DMARC policy for google.com
(G15)
If Jana sends the email directly to me, it works. This seems to point at the
IETF server is doing something that breaks signature in Jana email.
I realize this is not the "debug your email" list, but I have no idea where is
the right place to ask about this so I sent it here. Sorry.
Can anyone tell me how their DMARC system views the emails from Jana to the
quic(_at_)ietf(_dot_)org list ?
_______________________________________________
dmarc mailing list
dmarc(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/dmarc