On Mon, 23 Jul 2018 at 23:50, John Levine <jo...@taugh.com> wrote: > In article > <cahvbj+kaxamyr1o2adc-eqrhbf+sphyu5q_pgsybwtm4tmt...@mail.gmail.com> you > write: > >On Mon, 23 Jul 2018 at 20:16, Steve Atkins <st...@blighty.com> wrote: > >> > On Jul 21, 2018, at 1:28 AM, Stefano Bagnara <mai...@bago.org> wrote: > >> > [...] > >> > Otherwise we keep weakening DMARC to a point where it is not useful > >> > anymore. > >> > >> For many senders it's not useful; it's actively harmful. They're deploying > >> it because they've been > >ordered to, or because they've received bad advice, or because they're > >copying others who've made poor > >decisions. > > > >The "v=spf1 +all" SPF record is another, even easier, way to work around it. > > It doesn't work, of course, since mailing lists invariably use their > own bounce address, not the one in the original author's domain.
Right. Sorry. > >RFC6376 5.4. Determine the Header Fields to Sign: > >"signing fields present in the message such as Date, Subject, > >Reply-To, Sender, and all MIME header fields are highly advised." > > We wrote that a long time before anyone had imagined the mess that is DMARC. Well, if it is not valid anymore then we need an update... "You" made 3 revisions between 2007 and 2011 and then stopped updating it when it really started being used? ;-) There's not even an "errata" for that. Implementors (when they read the RFC) deserve to know what's the *current* best practices suggested by the spec RFC. > >May be another plan using multiple signatures. > > > >You can sign it twice, once with the "suggested" setup and once with > >your "minimal" setup (a different selector and very fast-rotating > >selector/keys). This way receivers that only wants to accept DKIM as > >valid when enough headers and enough of the body is signed can still > >accept one of your DKIM signatures. > > Sure, if you think that's useful. I see your messages to this mailing list are failing DMARC and here are their signatures: DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=c4b4.5b538d77.k1807; ... DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=c4b4.5b538d77.k1807; ... I'm not sure I understand why (the rationale about it) you decide to sign that headers and fail DMARC here, while you suggest the "asker" to stop signing reply-to.... And still I'm honestly looking for stats about how many domains are really currently sending DMARC reports to senders (I get reports for much less than 1% of my recipients: is it what you all get or is there something wrong in my setup/target?). Stefano _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
