On Tue, Jul 13, 2021 at 06:06:16PM -0400, post...@ptld.com wrote:
> > A DKIM signature does not imply any expectation that
> > all messages will have valid signatures.
>
> Why does DKIM signature exist if not to provide a way to know if an
> email has been altered after someone sent it? Why can't someone expect a
> signature to be valid? I assume computers are capable of creating a
> valid signature 100% of the time.
DKIM authenticates the message origin (domain rather than a specific
sender in most cases). The primary intent is to support whitelisting,
and to allow contracted providers to leverage your sender reputation
when sending messages on your behalf.
Email transits multiple hops from sender to recipient, possibly
undergoing various transformations en route. DKIM signatures are
fragile, and can break for many reasons. Not all legitimate
senders always send via a relay that is capable of signing their
message.
> > That's because DMARC (which I don't use or recommend)
>
> Why don't you recommend DMARC? What is wrong with it?
DMARC does not solve any problem I care to have solved. IMHO its
primary utility was to externalise Yahoo's abuse desk costs onto the
community.
> Do you accept *ALL* mail sent to you in your inbox spam or not?
I reject some email from IP addresses with poor reputations, missing
PTR records, ... but otherwise, yes all mail is delivered, and is
then classified as junk or not by the mail client. I delete a
dozen or so spam messages a day.
> Other than SPF records and DMARC what other tools exist to verify if
> mail came from the domain they purport to?
Have you had previous contact with the sender? Is this the sort of
message you expected from them? Does its timing or content raise any
alarms? I don't care what path legitimate messages took to get to me,
but for suspect messages, the path may confirm their lack of legitimacy.
If I were to use SPF, DKIM, DMARC, ... I might then sometimes look at
the Authentication-Results header for further clues, but presently I
don't have any use for these.
> > DKIM does not convey any policy, and the correct default policy is
> > to treat invalid signatures the same way as you would treat missing
> > signatures.
>
> Yes, DKIM is a signature, and DMARC is the policy that says if the
> signature is invalid you are allowed to p=reject that mail. But you're
> telling me at no time are you allowed to reject a message for an invalid
> signature.
Barring a DMARC policy, or some specific out-of-band knowledge about the
sender domain, yes you should not reject mail either for lack of a
signature or the presence of an invalid signature.
https://datatracker.ietf.org/doc/html/rfc6376#page-51
> Im wondering if that is the case why does DKIM or DMARC exist?
It makes it possible to assign a message reputation by origin domain.
This facilitates delivery of legitimate bulk mail that users of large
email systems actually signed up for, making it possible to allow in
some mail that would otherwise be deemed junk when sent by a less
scrupulous outfit.
> Maybe i read it wrong but within DMARC policy isn't it allowed for
> mail servers to have local policies that override the policy request
> of what to do with invalid DKIM signatures?
Sure, but a blaket reject on signature mismatch is specifically called
out as a bad idea by the DKIM specification.
> > You can break your system if you wish. For the record, nobody else
> > should follow your example.
>
> How is giving end users the choice, the control, over what happens with
> their email "breaking" my system?
The choice you're offering them is a bad choice, and they're typically
not well enough informed to make it wisely. You can implement DMARC,
and then reject mail from domains that have "p=reject", at the cost of
breaking some mailing lists, ... but absent such a DMARC policy, you
should not apply a blanket "p=reject" for apparently signed DKIM
messages with signatures that became invalid en-route.
Valid DKIM signatures can make it easier to apply greater scrutiny to
messages that lack a positive reputation, without incurring an excessive
false positive rate. But you still need some real evidence that a
message is likely junk before it is rejected. Mere DKIM "failure" isn't
such evidence.
--
Viktor.
