On 2017-08-02 23:59, Rick Moen wrote:
> It would be excellent if you could provide any DMARC reports you
> get to the Dng listadmins. Thank you.
I've attached two DMARC aggregate reports from google, the first one
before I fixed the DMARC rua address, which I shouldn't have recived,
and a second one after I changed the DMARC policy to quarantine.
Aggregate reports aren't as useful as forensic reports, but sadly
google, ms & co. don't send those.
The SPF checks from the report have currently the result None, which
usually indicates that domain does not have an SPF record. I did add
?mx:lists.dyne.org to my SPF record, which should have resulted in an
SPF result of Neutral, so either the mailing list needs an SPF record,
or google & co. are wrongly reporting a None result instead of a
Neutral one. I've now changed my SPF record from "v=spf1 a mx
?mx:lists.dyne.org -all" to "v=spf1 a mx mx:lists.dyne.org -all" to
figure out what's the case.
> To the best of my recollection (and I'm presently busy and cannot
> double-check all of this), some subset of the full SMTP headers are
> included in the DKIM attestation. I can't remember which, nor
> whether the DKIM-issuing operator can decide which. I vaguely
> recall that the extra headers MLMs intentionally add, the MLM
> footer, the MLM modification to the Subject header (like adding
> [DNG]), and more are all somewhat problematic for DKIM validation.
DKIM-issuing operator can decide which ones are included, but the From
header should always be included. After reading rfc6376, it seams that
it is possible to allow or disallow the addition of certain headers,
even regardless of if those are before or after the DKIM signature
header. It also seams to be possible to only verify the beginning of
the message body to allow a footer to be added. After re-reading the
available options of my OpenDKIM milter, I've added the following
options to my OpenDKIM configuration:
BodyLengthDB dng@???
OmitHeaders Subject, Precedence, Date, Return-Path, Received,
Comments, Keywords, Bcc, Resent-Bcc, Bounces-To, List-Id,
List-Unsubscribe, List-Archive, List-Post, List-Help, List-Subscribe,
Errors-To
If I can figure out a way to solve this problem I'll document it in
the dev1galaxy forum.
> Just a point:
>
>> I use DMARC and believe it to be necessary because it allows me
>> to: 1) Make sure nobody can use my E-Mail address to impersonate
>> me or send spam
> SPF alone _can_ do exactly that without also needing DKIM/DMARC.
> (So, sufficient is correct, but necessary is not quite correct.)
When a mail is sent, there are the envelope-to and the envelope-from
(which aren't mail headers), but also To and From headers. The
envelope-to/from specifies from where to where a message goes, it's
what you tell a mail server using the "RCPT FROM" and "MAIL FROM" smtp
commands. The From and To header specify who sent the message, and who
whom it was intended to be sent. If I look at the mails I receive from
this mailing list, the To header isn't changed and says
"dng@???".
Normally when an SPF check is made, the envelope from address is used.
If the mail server doesn't have an SPF header, the SPF result is None
and the receiving mail server should accept the mail. But if a DMARC
header is present, the mail from header should be used for the SPF
check instead.
>> 2) I will be notified if anyone attempts to do so
>
> SPF alone can prevent it from being possible, hence you don't need
> to be notified. (This of course assumes that receiving domains
> check SPF for received mail. Not all do, but more do than check
> DMARC.)
There is no point in getting notified if nothing happens or everything
works as expected, but if something didn't work or someone tried to
send a mail in my name and failed, I certainly want to know about
that. If those big mail providers would finally start to send forensic
reports, I could even get a copy of the mails that were rejected.
I aim to know everything that happens in relation to my systems and
resources, I log every request to my web server, every mail sent, and
even every login attempt to my systems, but I have still to add much
more logging to a lot of things.
>> 3) The recipient can check if the message content was changed
>
> gpg signing alone can do that.
gpg and DKIM have a bit different scope. DKIM ensures that the mail
content wasn't changed between the mail server which added the DKIM
signature and the recipient, but doesn't guarantee that nothing
changed the message beforehand. gpg ensures that a message is indeed
from the person claiming to be the author of the message, which DKIM
doesn't guarantee. I only use gpg on my own trusted machines, but I
would never use it on my phone, for example, since I can't trust my
phone. Nonetheless, I can still ensure that changes to messages sent
from my mail server will be obvious thanks to DKIM.
I use GPG signing and DKIM. I used PGP/MIME signing for the previous
messages, but I've now switched back to Inline PGP signing since this
mailing list managed to add the mailing list signature without
invalidating the GPG signed message, and my mail client didn't show me
that the mailing list signature wasn't part of the signed message.