[opendmarc-users] Can I tell why a specific message failed?
Dan Mahoney, System Admin
danm at prime.gushi.org
Tue Aug 26 12:24:09 PDT 2014
On Tue, 26 Aug 2014, Benny Pedersen wrote:
> On 26. aug. 2014 18.01.05 "Dan Mahoney, System Admin" <danm at prime.gushi.org>
> wrote:
>
>> Those zones aren't signed, and I don't think I've seen any requirement in
>> the spec, or the FAQ, or anywhere else that says DNSSEC is mandatory.
>
> I have no rfc at hand here, but i changed from org tld to eu tld to solve it
> for my problem at org tld
The only mention of DNSSEC (other than the references) in the RFC is 17.3:
The DMARC mechanism and its underlying technologies (SPF, DKIM)
depend on the security of the DNS. To reduce the risk of subversion
of the DMARC mechanism due to DNS-based exploits, serious
consideration should be given to the deployment of DNSSEC in parallel
to the deployment of DMARC by both Domain Owners and Mail Receivers.
Which is little more than an advisory. That's not it. There's
no way in the spec for either SPF or DKIM to require that a key be
validated via DNSSEC only.
What it *might* be is that I've got two DKIM signatures present -- and
that I only did the DKIM validation on the amazonses.com domain, and not
the amazon.com domain. And of course, amazon.com is the sender domain,
and the one publishing the dmarc record.
I note that in recent versions of openDKIM there's an option to process
ALL signatures, and not just the last one. I'm going to try turning this
on.
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
More information about the opendmarc-users
mailing list