[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On 3/24/25 7:29 AM, Todd Herr wrote: On Mon, Mar 24, 2025 at 10:24 AM Jim Fenton wrote: Joining the conversation a little date due to travel… On 21 Mar 2025, at 21:41, Todd Herr wrote: >    - DKIM2, as currently described, allows and even encourages receivers to >    rej

[Ietf-dkim] Re: Multiple rcpt-to's

This note hopes to clarify the current discussion on DKIM2 signing for a single recipient vs multiple recipients, by identifying how each approach might work, and validation steps involved. From this we can identify the pros and cons of the two approaches. Single RCPT TO recipient signing has bee

[Ietf-dkim] Re: Multiple rcpt-to's

On 3/24/25 7:14 AM, Murray S. Kucherawy wrote: On Sun, Mar 23, 2025 at 5:06 PM Michael Thomas wrote: That's basically what I was trying to say. We can recommand and give the reasons why it's a good idea to do a single rcpt-to without mandating it with a MUST. The microscopic amount

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

Apologies for being late to this thread and possibly rehashing things. I definitely think DMARC and DKIM2 should co-exist and complement each other, as DMARC provides a policy declaration mechanism while DKIM2 provides an authentication mechanism. On Fri, Mar 21, 2025 at 7:41 AM Todd Herr wrote:

[Ietf-dkim] Re: Multiple rcpt-to's

On Sun, Mar 23, 2025 at 5:06 PM Michael Thomas wrote: > On 3/23/25 4:47 PM, Murray S. Kucherawy wrote: > > The reason I keep harping on this is that I don't understand the value of >> picking fights that need not be picked, cf the advice in 5321 that Barry >> brought up. I doubt I will be the onl

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

Joining the conversation a little date due to travel… On 21 Mar 2025, at 21:41, Todd Herr wrote: >- DKIM2, as currently described, allows and even encourages receivers to >reject messages that fail DKIM2 validation I got that sense from the discussion and from something in the motivation

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On Sun, Mar 23, 2025 at 2:24 PM Al Iverson wrote: > On Fri, Mar 21, 2025 at 9:41 AM Todd Herr > wrote: > > > Here is what I currently understand to be true: > > > > DMARC provides the ability for a Domain Owner to request handling for > messages that fail email validation (SPF and DKIM) and to r

[Ietf-dkim] Re: comments on draft-gondwana-dkim2-motivation

On 3/24/25 11:12 AM, Alessandro Vesely wrote: In order to write a filter, I'd like an MTA which calls outgoing filters after the whole RCPT TO series is done, but before DATA; having the list of accepted recipients and the body already converted to what the receiver needs.  Dunno if any MTA cu

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On Mon, Mar 24, 2025 at 10:06 AM Murray S. Kucherawy wrote: > On Mon, Mar 24, 2025 at 7:30 AM Todd Herr 40someguyinva@dmarc.ietf.org> wrote: > >> I posit that a world with unsigned messages being rejected is indeed >> possible. Major mailbox providers have been saber rattling about "No auth,

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On Fri 21/Mar/2025 19:13:47 +0100 Tobias Herkula wrote: As a receiver, I already reject some portions of traffic if it is unsigned or an existing signature does not verify. I would vote for a clear statement that failing DKIM2 signatures from a 100% DKIM2 mail chain should provoke a reject, as

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In message , Murray S. Kucherawy writes >What I'm less clear on is how one identifies a legitimate mutation or a >legitimate list, versus a participating attacker claiming to be one of >those things. you cannot determine "legitimate" in a protocol .

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

Participating here: On Mon, Mar 24, 2025 at 12:24 PM Richard Clayton wrote: > >What I'm less clear on is how one identifies a legitimate mutation or a > >legitimate list, versus a participating attacker claiming to be one of > >those things. > > you cannot determine "legitimate" in a protocol ..

[Ietf-dkim] Re: Multiple rcpt-to's

Another way to help resolve this might be to get feedback from the folks working on RFC5321/2bis documents. Presumably this is the emailcore working group. How about we Cc some condensed form of this thread there? Or email directly John Klensin? Also I noticed that my formatting doesn't play wel

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In message , Alessandro Vesely writes >BTW, is dkim2=fail different from "failing DKIM2 signatures from a 100% DKIM2 >mail chain"? I mean, do verifiers always check all the signatures along the >chain or can sometimes check just the last one? In

[Ietf-dkim] Re: Multiple rcpt-to's

It appears that Wei Chuang said: >-=-=-=-=-=- > >Another way to help resolve this might be to get feedback from the folks >working on RFC5321/2bis documents. Presumably this is the emailcore >working group Please, no. The 5321bis document is done and it is not going to change other than s

[Ietf-dkim] Re: comments on draft-gondwana-dkim2-motivation

On Mon, Mar 24, 2025 at 6:31 AM Jeremy Harris wrote: > > In order to write a filter, I'd like an MTA which calls outgoing filters > after the whole RCPT TO series is done, but before DATA; having the list of > accepted recipients and the body already converted to what the receiver > needs. Dunno

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On Mon, Mar 24, 2025 at 7:30 AM Todd Herr wrote: > I posit that a world with unsigned messages being rejected is indeed > possible. Major mailbox providers have been saber rattling about "No auth, > no entry" for quite some time, and the current Yahoo/Google requirements > that at least some send

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

Speaking only as a participant: On Mon, Mar 24, 2025 at 8:29 AM Al Iverson wrote: > On Mon, Mar 24, 2025 at 10:06 AM Murray S. Kucherawy > wrote: > >> On Mon, Mar 24, 2025 at 7:30 AM Todd Herr > 40someguyinva@dmarc.ietf.org> wrote: >> >>> I posit that a world with unsigned messages being re

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

> On 24 Mar 2025, at 14:26, Todd Herr > wrote: > > On Sun, Mar 23, 2025 at 2:24 PM Al Iverson > > wrote: >> On Fri, Mar 21, 2025 at 9:41 AM Todd Herr >> > > wrote: >> >> > Here is what I currently understand to b

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

Thanks for taking the time to reply and explain, Todd! I appreciate it. >> > Moreover it removes the need for any kind of reporting, as a Domain Owner >> > will know from the rejections which messages that it authorized failed to >> > authenticate and presumably why, and the Domain Owner will ne

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On Mon, Mar 24, 2025 at 10:24 AM Jim Fenton wrote: > Joining the conversation a little date due to travel… > > On 21 Mar 2025, at 21:41, Todd Herr wrote: > > >- DKIM2, as currently described, allows and even encourages receivers > to > >reject messages that fail DKIM2 validation > > I got

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

On Mon, Mar 24, 2025 at 10:53 AM Michael Thomas wrote: > Out of curiosity would, say, a mailing list that breaks the original > signature but signs on the mailing list's behalf count as "signed"? At some > level DKIM is about taking responsibility for a message so something that a > mailing list

[Ietf-dkim] Review of draft-gondwana-dkim2-motivation-02

Apologies for sending this so close to the WG meeting, but I seem to work best to deadlines (and I made the WG meeting a deadline for myself). General comment: The draft uses the term “header” extensively, while the correct term (in every place I have noticed) is “header field”. Intended status

[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In message , Murray S. Kucherawy writes >On Mon, Mar 24, 2025 at 12:24
PM Richard Clayton >wrote: > >> you cannot determine "legitimate" in a protocol ... what DKIM2 does is >> allow you, having determined that badness has occurred, to be sure which

[Ietf-dkim] Re: The DKIM WG has placed draft-gondwana-dkim2-modification-alegbra in state "Candidate for WG Adoption"

On Mon, Mar 24, 2025, at 10:41, Murray S. Kucherawy wrote: > On Sat, Mar 22, 2025 at 8:51 AM Michael Thomas wrote: >> >> This seems really premature. >> > >> > Note that we haven't adopted the document yet. We haven't even put out >> > the minutes of the face-to-face or put out a call for adoptio

[Ietf-dkim] Re: Multiple rcpt-to's

On Sun, Mar 23, 2025, at 04:53, Michael Thomas wrote: > > > I'm about half way through the audio session and just finished the rationale > for a single rcpt-to. I'd like to turn that rationale on it's head: if this > is pretty much the way the world operates now (which I have no reason to >

[Ietf-dkim] Re: comments on draft-gondwana-dkim2-motivation

On Sun 23/Mar/2025 16:13:12 +0100 Allen Robinson wrote: On Sun, Mar 23, 2025, 7:13 a.m. Alessandro Vesely wrote: On Thu 20/Mar/2025 19:54:02 +0100 Allen Robinson wrote: I don't think DKIM2 helps at all in that case. A sender is well within their rights to put in a new header that specifies t