On Fri, 5 May 2017 17:45:37 +0000 David Jones wrote:
> From: RW <rwmailli...@googlemail.com> > > >On Fri, 5 May 2017 14:51:32 +0000 > >David Jones wrote: > > >> >I know. I do not want to validate the envelope from with DKIM. I > >> >just want to know if the mail was DKIM-VALID signed by the DOMAIN > >> >used in the envelopefrom. > >> > >> >So the only thing I want with the envelop from is to extract the > >> >domain and test if the mail was DKIM signed (and valid) by that > >> >domain. > >> > >> >This tells me the envelope from is not some random spoofed > >> >address, but actually controlled by someone who handled the > >> >e-mail before it arrived at our mta. > >> > >> This actually would be a very useful rule/logic to add to SA: > >> > >> https://blog.returnpath.com/why-passing-and-aligning-both-spf-and-dkim-is-key-to-email-deliverability/ > >> > > >So what would be the point in running a separate DKIM test against > >the envelope if you are looking for alignment. > > I don't think this would be a separate DKIM test necessarily. It > should be a combination of SPF_PASS + DKIM_VALID_AU + the > envelope-from matches the DKIM-signed domain. This is basically > perfect DMARC alignment where the domain has "p=reject" and DMARC > would pass meaning the domain was not spoofed. > > >> When both align, it should be a very good candidate for > >> whitelist_auth based on the sender domain reputation. > > >If it passes DKIM and the domain has a good reputation then what > >difference would alignment make. > > Proper security in any context checks both authorization and > authentication. This is SPF and DKIM respectively in the email > filtering context. Spammers can get control of a compromised account > and send a valid DKIM-signed email through that email server that > would pass SPF with an envelope-from of example.com and DKIM > signature of example.net (or some domain they had DNS control of like > paypa1.com). If it passed DKIM_VALID_AU then the visible From: > address in the recipient's mail client would show example.net or > paypa1.com. > > Would I trust example.com or example.net in the above scenario? Which > would be added to whitelist_auth? The authorized email was from > example.com but the authenticated email was from example.net. The > DMARC standard says that either SPF or DKIM has to pass for a DMARC > pass based on that link above. The point of that link is to align > both for best delivery results. > > I am just saying that it would be nice if SA had a rule that hit when > both matched which is perfect DMARC alignment. Today I am able to > get close to this using OpenDMARC to add headers then with custom > rules to add DMARC_NONE, DMARC_PASS, or DMARC_FAIL. I think I would > have to write a simple SA plugin to compare the envelope-from with > the DKIM signature domain to see if they matched then I could use a > meta rule to glue all of this together. > > Dave
