My understanding is that DMARC alignment depends on both SPF and DKIM and that if a test using either protocol passes, then a DMARC will pass. This is probably an oversimplification, but I'm exploring the idea of whether it might be possible to interpose a milter using OpenDKIM (perhaps zdkimfilter) between Mailman and the outgoing SMTP server (courier-MTA) so that outgoing list posts are appropriately signed.
I know next to nothing about DKIM, but there was a time when I knew next to nothing about almost everything, so I learn what I have to to make things work :)
-- Lindsay Haisley | "The only unchanging certainty FMP Computer Services | is the certainty of change" 512-259-1190 | http://www.fmp.com | - Ancient wisdom, many cultures
On 04/27/2014 10:16 AM, Lindsay Haisley wrote:
My understanding is that DMARC alignment depends on both SPF and DKIM and that if a test using either protocol passes, then a DMARC will pass. This is probably an oversimplification, but I'm exploring the idea of whether it might be possible to interpose a milter using OpenDKIM (perhaps zdkimfilter) between Mailman and the outgoing SMTP server (courier-MTA) so that outgoing list posts are appropriately signed.
This doesn't help. The whole idea behind DMARC is the message must pass either SPF or DKIM with a domain that 'aligns' with the domain of the address in the From: header.
You can't DKIM sign for the yahoo.com or aol.com or whatever.com domain because you don't know their private keys. You can only DKIM sign for your own domain which won't 'align' with the From: domain.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
On Sun, 2014-04-27 at 10:34 -0700, Mark Sapiro wrote:
On 04/27/2014 10:16 AM, Lindsay Haisley wrote:
My understanding is that DMARC alignment depends on both SPF and DKIM and that if a test using either protocol passes, then a DMARC will pass. This is probably an oversimplification, but I'm exploring the idea of whether it might be possible to interpose a milter using OpenDKIM (perhaps zdkimfilter) between Mailman and the outgoing SMTP server (courier-MTA) so that outgoing list posts are appropriately signed.
This doesn't help. The whole idea behind DMARC is the message must pass either SPF or DKIM with a domain that 'aligns' with the domain of the address in the From: header.
You can't DKIM sign for the yahoo.com or aol.com or whatever.com domain because you don't know their private keys. You can only DKIM sign for your own domain which won't 'align' with the From: domain.
OK, Thanks Mark. This makes sense. No need for anyone else to post a reply to my post.
-- Lindsay Haisley | "Everything works if you let it" FMP Computer Services | 512-259-1190 | --- The Roadie http://www.fmp.com |
On 4/27/14, 1:34 PM, Mark Sapiro wrote:
On 04/27/2014 10:16 AM, Lindsay Haisley wrote:
My understanding is that DMARC alignment depends on both SPF and DKIM and that if a test using either protocol passes, then a DMARC will pass. This is probably an oversimplification, but I'm exploring the idea of whether it might be possible to interpose a milter using OpenDKIM (perhaps zdkimfilter) between Mailman and the outgoing SMTP server (courier-MTA) so that outgoing list posts are appropriately signed.
This doesn't help. The whole idea behind DMARC is the message must pass either SPF or DKIM with a domain that 'aligns' with the domain of the address in the From: header.
You can't DKIM sign for the yahoo.com or aol.com or whatever.com domain because you don't know their private keys. You can only DKIM sign for your own domain which won't 'align' with the From: domain.
One question I have had over how this works is why SPF is added to the mix. If the message passes SPF, then it has come directly from a server that is supposedly controlled by the sending provider. Said server should have been able to DKIM sign the message, so you should never see a message that passes SPF but fails DKIM.
Was that option just put in to allow an organization to just implement SPF (and ignore DKIM), but change SPF to require the alignment to From: ?
-- Richard Damon
On 04/27/2014 11:00 AM, Richard Damon wrote:
One question I have had over how this works is why SPF is added to the mix. If the message passes SPF, then it has come directly from a server that is supposedly controlled by the sending provider. Said server should have been able to DKIM sign the message, so you should never see a message that passes SPF but fails DKIM.
SPF applies to the domain of the envelope sender, not the From: address. It only says that the server that delivered this message is authorized (or not) for the domain of the envelope sender.
Was that option just put in to allow an organization to just implement SPF (and ignore DKIM), but change SPF to require the alignment to From: ?
I think the intent is that any domain that implements a DMARC policy will both publish SPF and DKIM sign, but the draft spec explicitly allows for the sending domain to not do both[1].
For a DMARC test to succeed either SPF must pass and the SPF domain must align with the From: domain or there must be a valid DKIM signature with a d= domain aligned with the From: domain.
Note that this doesn't represent any change in either SPF or DKIM. It is just an additional requirement on the domains of these tests.
So, if a relay modifies the domain of the envelope sender, e.g. like most mailing lists changes it to some bounce@my.domain, SPF may pass, but the domains won't align. For SPF to allow the message to pass DMARC validation, the envelope sender's domain must align with the From: domain and the server which delivered the mail to the recipient MTA must be authorized by the SPF of the envelope sender's domain.
[1] From sec 10.2 of the draft spec. Heuristics applied in the absence of use by a Domain Owner of either SPF or DKIM (e.g., [Best-Guess-SPF]) SHOULD NOT be used, as it may be the case that the Domain Owner wishes a Message Receiver not to consider the results of that underlying authentication protocol at all.
-- Mark Sapiro mark@msapiro.net The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan
participants (3)
-
Lindsay Haisley -
Mark Sapiro -
Richard Damon