[opendmarc-users] Rejecting DMARC errors

Lefteris Tsintjelis lefty at spes.gr
Thu Jun 13 06:10:35 PDT 2019 

On 13/6/2019 14:53, Juri Haberland wrote:
> On 2019-06-13 12:43, Lefteris Tsintjelis wrote:
>> On 13/6/2019 12:51, Juri Haberland wrote:
>>> On 2019-06-13 10:45, Lefteris Tsintjelis wrote:
> 
>>> A receiver without DMARC checking would accept the mail anyway, so 
>>> why would it be a security issue if a receiver /with/ DMARC checking 
>>> accepts it, too?
>>
>> Because the DomainKey ADSP policy (dkim=all) is set for all outgoing
>> mail to be DKIM signed and therefore an unsigned mail with DMARC
>> policy set to reject should be rejected.
> 
> DMARC does not enforce DKIM policies - it does enforce DMARC policies.
> ADSP is considered dead. From RFC 7489, appendix A.5:
>>  DMARC has been characterized as a "super-ADSP" of sorts.
> See also https://dmarcian.com/adsp-and-dmarc/

If DMARC was called "super-ADSP" it should have stand up to it's name 
then. I am sure you are right about the RFCs but it should have followed 
on ADSP policies. For me, being able to enforce signatures is a very 
important security policy. I don't know about the rest of the RFCs but 
in this case DMARC looks more like a "sub-ADSP" to me as it creates a 
new and big security issue here, something that the old and dead ADSP 
did not have, if it were to be used properly of course. IMHO it seems to 
me that everyone can defeat the "super-ADSP" extremely easily here. I am 
really surprised that RFCs did not cover this case. Even OpenDKIM had 
the ADSP code removed recently if I remember correctly. I suppose this 
should have been a job for OpenDKIM to deal with but still, there seems 
to be a new big security gap here between the "old/dead ADSP" and the 
new "super-ADSP".

>>>>>> 2) Also, when an email arrives from an older domain using DomainKey
>>>>>> OpenDMARC is doing the exact same thing, generates an error but email
>>>>>> is accepted.
>>>>>
>>>>> DomainKey is obsolete and not part of the DMARC RFC and therefor 
>>>>> not supported by OpenDMARC.
>>>>
>>>> That would have been perfectly acceptable also as it is obsolete. Why
>>>> is there an interaction with DomainKey-Signature then and I get a
>>>> "dmarc=permerror" in Authentication-Results header? Shouldn't it be
>>>> completely ignored without any permerror generated?
> 
>>>> Header example:
>>>>
>>>> Authentication-Results: mx.domain.com; dmarc=permerror 
>>>> header.from=old.domainkey.com
> 
> I've checked the sources and - if I didn't miss anything - 
> "dmarc=permerror" is only used, if something was wrong with the DMARC 
> DNS record. In such cases you should see something like the following 
> your logs:
>> opendmarc[<pid<]: <jobid> 
>> opendmarc_policy_query_dmarc(<sender.domain>) returned status <x>
> It has nothing to do with old DpomainKeys as it is completely ignored.
Then it is most likely a DMARC DNS record issue on their part.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4151 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20190613/6e1c8d89/attachment.bin>

More information about the opendmarc-users mailing list