nanog mailing list archives

Re: is it just me or...

From: Michael Thomas via NANOG <nanog () lists nanog org>
Date: Mon, 26 May 2025 09:55:11 -0700


On 5/25/25 10:16 AM, Bjørn Mork via NANOG wrote:

If the domain in the
"From:" header matches the domain where the public key is stored, the
recipient knows that the email was DKIM signed by a mail server trusted
by the sending domain (since it must have the private key).  It can,
therefore, assume that the email really is from the "From:" address, and
has not been modified along the way.

Yes, so this also works through a forwarding mail server, provided it
only changes the envelope. Older mailing list software broke because it
messed around with the message content, but that was completely
unnecessary.  And good to get rid of.  Injecting some additional mailing
list headers is still fine, and will not break DKIM.

It should be noted that NANOG's mailing list before the change overdidn't cause DKIM-breaking signature behavior, but now it does (likemost mailing lists).

The big problem with DMARC is that it ties SPF to the From header field,
so changing the envelope sender will not work anymore.  This forces the
forwarder to mess with the From field to align it with a SPF valid
envelope.  Which again will break any existing DKIM signature.  Which of
course can be worked around by adding another DKIM signature.

DMARC is broken by design.  SPF and DKIM worked fine alone.

Has anybody even enumerated why "alignment" is even a supposedly goodidea? Or why unification of SPF and DKIM policy was needed at a protocollevel? I mentioned that a BCP might be useful, but that doesn't requireprotocol level standardization. I was sort of ambivalent about"alignment" when I first heard about it, but maybe that's really theheart of why it went off the rails where both SPF's policy and DKIM'sADSP were actually sufficient before.


Mike
_______________________________________________

NANOG mailing listhttps://lists.nanog.org/archives/list/nanog () lists nanog org/message/OUWKW55OQKSOS7JA7OHK4RSENUCMHV4Q/

Current thread:

Re: is it just me or..., (continued)
- - - Re: is it just me or... Michael Thomas via NANOG (May 27)
    - Re: is it just me or... Noel Butler via NANOG (May 28)
  - Re: is it just me or... Rich Kulawiec via NANOG (May 27)
    - Re: is it just me or... Tom Ivar Helbekkmo via NANOG (May 27)
    - Re: is it just me or... Michael Thomas via NANOG (May 27)
    - Re: is it just me or... John Levine via NANOG (May 27)
    - Re: is it just me or... Michael Thomas via NANOG (May 27)
    - Re: is it just me or... Tom Ivar Helbekkmo via NANOG (May 27)
    - Re: is it just me or... Michael Thomas via NANOG (May 27)
    - Re: is it just me or... Bjørn Mork via NANOG (May 27)
    - Re: is it just me or... Michael Thomas via NANOG (May 27)
    - Re: is it just me or... Tom Ivar Helbekkmo via NANOG (May 27)
    - Re: is it just me or... Bjørn Mork via NANOG (May 27)
- Re: is it just me or... Aaron Gould via NANOG (May 27)
- Re: is it just me or... Mark Tinka via NANOG (May 27)
  - Re: is it just me or... Hank Nussbacher via NANOG (May 27)
    - Re: is it just me or... nanog--- via NANOG (May 27)
    - Re: is it just me or... nanog--- via NANOG (May 27)
- Re: is it just me or... Josh Reynolds via NANOG (May 27)
- Re: is it just me or... Niels Bakker via NANOG (May 27)
- Re: is it just me or... Eliot Lear via NANOG (May 27)

(Thread continues...)