Hi swinog / init7
Thanks @adrian for the report and @daniel for pointing out the NXDOMAIN issue.
Maybe this is well-known, but I would like to point out that this swinog list
has a problem with DKIM and SPF.
1) DKIM: not valid ("message has been altered") because of the email forwarding
without re-signing
2) SPF: wrong record
> Authentication-Results: opendkim.logging.ch;
> dkim=fail (2048-bit key) reason="fail (message has been altered)"
> header.d=switch.ch header.b=qiNTrxHE
> Received-SPF: permerror (lists.swinog.ch: Unknown mechanism type 'redirect'
> in 'v=spf1' record) receiver=mx3.logging.ch; identity=mailfrom;
> envelope-from="[email protected]"; helo=vmaill01.sys.init7.net;
> client-ip=82.197.188.230
> Received: from vmaill01.sys.init7.net (vmaill01.sys.init7.net
> [82.197.188.230])
SPF misconfiguration:
> dig +short lists.swinog.ch txt
> "v=spf1 redirect:init7.net"
The correct record should read as:
> "v=spf1 redirect=init7.net"
See https://www.rfc-editor.org/rfc/rfc7208#section-6.1
While 2) would be an easy fix, 1) might involve some more work.
My 2 cents - Gruass, Franco
On 08.06.23 07:42, Daniel Stirnimann via swinog wrote:
> Hi Adrian,
>
>
> On 07.06.23 21:33, Adrian Ulrich via swinog wrote:
>>> I'm pretty surprised that of the 1.7M domains with an MX record, only 57%
>>> have DKIM
>>
>> I don't see how one could reliability gather this data from DNS:
>>
>> DKIM allows you to specify a selector in the header of the mail: This mail
>> for example will use 'sx1' as the selector (check out the header ;-) ):
>>
>>> $ dig +short txt sx1._domainkey.blinkenlights.ch
>>> "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC[....]
>>
>> But without ever receiving a mail from me: how would you know?
>>
>> You could try to send a query for '_domainkey.blinkenlights.ch' and you MAY
>> receive a NOERROR reply - but that's not guaranteed: My DNS will just return
>> an NXDOMAIN:
>>
>>> $ dig txt _domainkey.blinkenlights.ch|grep status:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10153
>
>
> Your nameserver breaks https://www.rfc-editor.org/rfc/rfc8020
>
> This document states clearly that when a DNS resolver receives a
> response with a response code of NXDOMAIN, it means that the domain
> name which is thus denied AND ALL THE NAMES UNDER IT do not exist.
>
> Daniel
> _______________________________________________
> swinog mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
_______________________________________________
swinog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
