openssl-users: DKIM, DMARC and all that jazz, and what it means to us
Jakob Bohm
jb-openssl at wisemo.com
Fri Feb 15 16:14:03 UTC 2019
On 15/02/2019 16:03, Richard Levitte wrote:
> Hi all,
>
> It seem like DMARC, SPF, DKIM, or *something* is tripping us up quite
> a bit. Earlier this afternoon (that's what it is in Sweden at least),
> us postmasters got a deluge of bounce reports from mailman, basically
> telling us that it got something like this:
>
> <user at example.com>: host aspmx.l.google.com[74.125.140.26] said:
> 550-5.7.1 This message does not have authentication information or fails to
> pass 550-5.7.1 authentication checks. To best protect our users from spam,
> the 550-5.7.1 message has been blocked. Please visit 550-5.7.1
> https://support.google.com/mail/answer/81126#authentication for more 550
> 5.7.1 information. f1si3266960wro.105 - gsmtp (in reply to end of DATA
> command)
>
> There's very little fact of what actually triggered these bounces, but
> they always come from Google, so we're guessing that they're becoming
> increasingly aggressive in their checks of DKIM, SPF, ARC, who knows
> (they don't seem to check DMARC, 'cause we do have one with p=none and
> an address to sent DMARC reports to, and I'm hearing absolutely
> nothing from Google, but I do hear from others)
>
> So, to mitigate the problem, we've removed all extra decoration of the
> messages, i.e. the list footer that's usually added and the subject
> tag that indicates what list this is (I added the "openssl-users:"
> that you see manually).
>
> So IF you're filtering the messages to get list messages in a
> different folder, based on the subject line, you will unfortunately
> have to change it. If I may suggest something, it's to look at this:
>
> List-Id: <openssl-users.openssl.org>
>
> Cheers,
> Richard ( role: postmaster )
>
I have had some fruitless discussion with the mailman authors a while
back. They seemed to insist that DMARC etc. were bad ideas and that
senders complying were broken and needed half-assed workarounds.
In my own role as postmaster, I see all these systems implementing
variations of the same concepts, that have pretty simply implications
for mailing list software:
1. The global mail system is increasingly implementing checks for
spoofed source addresses. List gateways thus need to be
increasingly conservative in what they send out.
2. If posts contain any kind of digital signature (PGP, S/MIME,
DKIM etc.), the mailing list software must either preserve the
validity by not changing anything signed or remove that signature.
Leaving a now-invalid signature in place makes the post obviously
bogus to anyone checking, resulting in bounces and lost mail.
(Optionally, the list gateway may add headers describing the
validity of those signatures before processing, perhaps even
rejecting posts with invalid signatures to reduce spam).
3. When sending out the mails, the various from addresses must be
appropriately authorized, either by being the list gateway itself or
by satisfying all the known checks for any preserved addresses.
4. As mass senders of mail, mailing list gateways should themselves
implement all the checkable features in the standards: strict SPF
records for its own domain, DKIM signatures for any mails with
the list gateway as source, DMARC records telling recipients to
discard/reject messages pretending to be from the list without
satisfying all these checks.
5. The enforcement strictness in DMARC, SPF and DKIM DNS records
should not be taken as license to violate the requirements. For
example an SPF rule of +all should not be treated as permission
to use the posters domain in envelope-from.
Frustration with spam may lead recipient systems to enforce
more strictly than requested by the source domain.
More specific rules:
A. SPF requires the envelope-from (SMTP MAIL FROM) address to always
be that of the list gateway, even if the posters domain has no SPF
record.
B. A valid DKIM signature from the posters domain can allow keeping
the poster as From: address if the DKIM signature is undamaged.
C. Some DKIM signatures allow appending a mailing list footer to the
end of plaintext mails and adding the mailing list headers to the
mail, others do not. In practice this is determined by
implementation details in the posters mail server (for example,
most versions of exim don't sign in that permissive way).
Programmatically this can be determined by directly comparing the
coverage indicated in the DKIM header to the intended mail
modifications.
D. DMARC DNS records indicate if a sending domain wants to restrict
header-From (etc.) pointing to that domain to only be used with
at least one of DKIM and SPF passing for header-From. Rule 5
applies, but so does rule C.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list