dovecot - Feb 2022 - Sv: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

On 2022-02-09 17:25, Julien Salort wrote:
> Le 09/02/2022 ? 16:55, Benny Pedersen a ?crit?:
> 
>> hope maillist users turn there dkim signers into sign only, not verify 
>> aswell, verify must only happen in dmarc
> 
> I am a little bit confused.
> 
> - why not verify dkim ? It seems fine for your message. I get:
when dkim pass there is no breakage, but dkim fail can lead to in some 
setups to make reject, even for maillists :/

that is a design fail on dkim

hence why i say sign only in dkim
> Received-SPF: Pass (mailfrom) identity=mailfrom;
> client-ip=94.237.105.223; helo=talvi.dovecot.org;
> envelope-from=dovecot-bounces at dovecot.org; receiver=<UNKNOWN>
> Authentication-Results: OpenDMARC; dmarc=pass (p=none dis=none)
> header.from=junc.eu
> Authentication-Results: vps2.salort.eu;
> 	dkim=pass (2048-bit key; secure) header.d=junc.eu header.i=@junc.eu
> header.a=rsa-sha256 header.s=default header.b=CC9G/2tV;
> 	dkim-atps=neutral
perfectly good no problem
> - Is it useful to install something besides OpenDMARC (OpenARC ?), or
> some dedicated OpenDMARC configurations, for the ARC-Seal to be useful
> ?
we are all waiting for spamassassin 4, and maybe ietf stable rfc on 
openspf, opendkim, openarc, opendmarc, currently none of it is 
production stable
> I suppose SPF works because the Envelope is correctly set to
> dovecot.org address, so I don't understand the problem the OP was
> mentionning.
postfix maillist have no spf helo pass, no spf pass, i think its to 
force pass only on dkim in dmarc :=)

i dont control dovecot.org spf, so if it recieved in arc test pass i am 
happy, note arc miss spf helo fail/pass

its not production stable

> when dkim pass there is no breakage, but dkim fail can lead to in some
setups to make reject, even for maillists
> that is a design fail on dkim

I disagree. DKIM is doing its job. It is a design fail on the part of most
mailing list and/or lack of user's DKIM signatures.

Look at it logically, DKIM is reporting that the email has been manipulated and
isn't being delivered by the authorized server. Isn't that what you want
out of DKIM? Detecting forged, phishing and spam email?

If you want to get emails that have been captured by a man in the middle,
manipulated, then sent to you from a hackers server then why bother setting up
DKIM at all? To us humans, we don't conceptually view a mailing list as
doing that, but on the technical level that is what is happening when DMARC
breaks.

It is possible for a mailing list to pass DMARC verification, but there
doesn't seem to be a lot of motivation to put in the extra effort to make it
work.



Regarding ARC;
I don't get it, i don't see it as useful. The only thing ARC does is
tell you that the server sending you email promises the email is legit. How does
that prevent
spam/phishing when the attack server can ARC something saying trust me its
legit? And the big 3 using ARC, so what, what does it even mean? Gmail is
telling you yep they got that email from someone else and are relaying it to
you. What does that solve? Spammers send through gmail accounts and use private
domains relayed through gmail servers for delivery. Great, ARC confirms it
really was someone who sent that spam through gmail and gmail really did deliver
it. How is that useful in fighting spam?

If im way off on that, feel free to set me straight.