DKIM absence

[Philip Prindeville <ph...@redfish-solutions.com>]

Is there a way to add scoring that says, "If the sending domain has DKIM records, but there's no DKIM signature on this message, then attach a high score to it?"

We seem to attach negative scores when DKIM is present and valid, but what about the opposite direction?

If it's absent, but it shouldn't be?

Re: DKIM absence

[Greg Troxel <gd...@lexort.com>]

> Right, because you need to grovel out the selector from the
> DKIM-Signature line.  Groan.
>
> That you can't mark a domain as requiring DKIM at the top-level seems
> to be a design flaw in the protocol.

Yes, but I think the way that is fixed is spelled DMARC.

Re: DKIM absence

[Philip Prindeville <ph...@redfish-solutions.com>]

> On May 2, 2023, at 9:37 AM, Thomas Johnson <tj...@terramar.net> wrote:
> 
> 
>> On May 2, 2023, at 8:27 AM, Philip Prindeville <ph...@redfish-solutions.com> wrote:
>> 
>> Is there a way to add scoring that says, "If the sending domain has DKIM records, but there's no DKIM signature on this message, then attach a high score to it?"
>> 
>> We seem to attach negative scores when DKIM is present and valid, but what about the opposite direction?
>> 
>> If it's absent, but it shouldn't be?
>> 
> 
> 
> If there’s no dkim signature, you can’t check for dkim records in dns. The selector for a dkim signature is arbitrary - there’s no one dns lookup you can do to see all possible dkim records for a domain. 
> 
> You can use ADSP - it’s old and I don’t know how many domains have ADSP records these days, but it lets a domain specify that all mail must be dkim signed to be considered valid.  
> 
> We tell our customers to add an ADSP record, and we use it when checking their incoming mail to help identify forgeries. I don’t know that it helps much with mail from non-customers, though.  I’ll have to check and see how often our rules hit for that. 
> 


Right, because you need to grovel out the selector from the DKIM-Signature line.  Groan.

That you can't mark a domain as requiring DKIM at the top-level seems to be a design flaw in the protocol.

Re: DKIM absence

[Benny Pedersen <me...@junc.eu>]

Matus UHLAR - fantomas skrev den 2023-05-02 19:25:
>> Greg Troxel skrev den 2023-05-02 18:29:
>>> DKIM_MISSING	Domain has DKIM records but message has no DKIM 
>>> signature
> 
> On 02.05.23 18:59, Benny Pedersen wrote:
>> there is no _domainkeys in dns
> 
> sorry, it's _domainkey.example.com

example.com have rfc 7505 to be picky (nullMX)

>>> with maybe +3 to start, as a sort-of-soft-impliced-DMARC.
>> 
>> yes _dmarc is in dns
>> 
>>> (surely this is doable in a plugin; it's not conceptually hard)
>> 
>> ha its simply as winning in lotto :=)
> 
> funny, looks like Mail::SpamAssassin::Plugin::AskDNS can check for 
> NOERROR:

forget it as Bill say

>  Lastly, the filtering parameter can be a comma-separated list of
>  DNS status codes (rcode), enclosed in square brackets. Rcodes can
>  be represented either by their numeric decimal values (0=NOERROR,
>  3=NXDOMAIN, ...), or their names.  See
>  https://www.iana.org/assignments/dns-parameters for the list of
>  names. When testing for a rcode where rcode is nonzero, a RR type
>  parameter is ignored as a filter, as there is typically no answer
>  section in a DNS reply when rcode indicates an error.  Example:
>  [NXDOMAIN], or [FormErr,ServFail,4,5] .

seeing forward to see results from it

Re: DKIM absence

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

>Greg Troxel skrev den 2023-05-02 18:29:
>>DKIM_MISSING	Domain has DKIM records but message has no DKIM signature

On 02.05.23 18:59, Benny Pedersen wrote:
>there is no _domainkeys in dns

sorry, it's _domainkey.example.com

>>with maybe +3 to start, as a sort-of-soft-impliced-DMARC.
>
>yes _dmarc is in dns
>
>>(surely this is doable in a plugin; it's not conceptually hard)
>
>ha its simply as winning in lotto :=)

funny, looks like Mail::SpamAssassin::Plugin::AskDNS can check for NOERROR:

  Lastly, the filtering parameter can be a comma-separated list of
  DNS status codes (rcode), enclosed in square brackets. Rcodes can
  be represented either by their numeric decimal values (0=NOERROR,
  3=NXDOMAIN, ...), or their names.  See
  https://www.iana.org/assignments/dns-parameters for the list of
  names. When testing for a rcode where rcode is nonzero, a RR type
  parameter is ignored as a filter, as there is typically no answer
  section in a DNS reply when rcode indicates an error.  Example:
  [NXDOMAIN], or [FormErr,ServFail,4,5] .


-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows 2000: 640 MB ought to be enough for anybody

Re: DKIM absence

[Benny Pedersen <me...@junc.eu>]

Greg Troxel skrev den 2023-05-02 18:29:

> DKIM_MISSING	Domain has DKIM records but message has no DKIM signature

no

there is no _domainkeys in dns

> with maybe +3 to start, as a sort-of-soft-impliced-DMARC.

yes _dmarc is in dns

> (surely this is doable in a plugin; it's not conceptually hard)

ha its simply as winning in lotto :=)

Re: DKIM absence

[Jared Hall <ja...@jaredsec.com>]

On 5/2/2023 1:02 PM, Bill Cole wrote:
>
> That is a terrible idea. There are perfectly good reasons for a domain 
> to only sign some mail. Justifying a +3 score on something which is 
> only wrong *IN YOUR HEAD* is hard.
>
> ADSP and DMARC both exist apart from DKIM. It is an entirely valid 
> choice to NOT use them.
>

Yes, Bill is a voice of reason.  There ARE good reasons to only sign 
some mail.  Example use case:

-----
I use SPF/DMARC everywhere.   Emails from our servers do not have DKIM 
signatures.  All is good and management is easy.

However, I have several clients that use ESP contact managers, like 
ConstantContact.  Constant Contact provides a couple of CNAME records to 
use for their signing records.  All is good and management continues to 
be easy.  Everybody is happy. Deliverability is 100%.
-----

Validate a DKIM record IF it exists in an Email.  Honor DMARC policies 
as you wish.  But IMHO, it is probably not a good idea to go looking for 
trouble that doesn't exist.


-- Jared Hall

Re: DKIM absence

[Bill Cole <sa...@billmail.scconsult.com>]

On 2023-05-02 at 12:29:53 UTC-0400 (Tue, 02 May 2023 12:29:53 -0400)
Greg Troxel <gd...@lexort.com>
is rumored to have said:

> Matus UHLAR - fantomas <uh...@fantomas.sk> writes:
>
>> On 02.05.23 08:37, Thomas Johnson wrote:
>>> If there’s no dkim signature, you can’t check for dkim records 
>>> in
>>> dns.  The selector for a dkim signature is arbitrary - there’s no
>>> one dns lookup you can do to see all possible dkim records for a
>>> domain.
>>
>> a trick: if _domainkeys.example.com exists (returns anything but
>> NXDOMAIN), we may assume that at least DKIM records exist.
>>
>> I just have no idea how to test this in SA (at least not within 
>> rule).
>
> I think that's a great idea, and we could add
>
> DKIM_MISSING	Domain has DKIM records but message has no DKIM signature
>
> with maybe +3 to start, as a sort-of-soft-impliced-DMARC.

That is a terrible idea. There are perfectly good reasons for a domain 
to only sign some mail. Justifying a +3 score on something which is only 
wrong *IN YOUR HEAD* is hard.

ADSP and DMARC both exist apart from DKIM. It is an entirely valid 
choice to NOT use them.

> (surely this is doable in a plugin; it's not conceptually hard)

Feel free to implement it on your own and report back the results.


-- 
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: DKIM absence

[Greg Troxel <gd...@lexort.com>]

Matus UHLAR - fantomas <uh...@fantomas.sk> writes:

> On 02.05.23 08:37, Thomas Johnson wrote:
>> If there’s no dkim signature, you can’t check for dkim records in
>> dns.  The selector for a dkim signature is arbitrary - there’s no
>> one dns lookup you can do to see all possible dkim records for a
>> domain.
>
> a trick: if _domainkeys.example.com exists (returns anything but
> NXDOMAIN), we may assume that at least DKIM records exist.
>
> I just have no idea how to test this in SA (at least not within rule).

I think that's a great idea, and we could add

DKIM_MISSING	Domain has DKIM records but message has no DKIM signature

with maybe +3 to start, as a sort-of-soft-impliced-DMARC.

(surely this is doable in a plugin; it's not conceptually hard)

Re: DKIM absence

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

>> On May 2, 2023, at 8:27 AM, Philip Prindeville <ph...@redfish-solutions.com> wrote:
>> Is there a way to add scoring that says, "If the sending domain has DKIM 
>> records, but there's no DKIM signature on this message, then attach a 
>> high score to it?"
>>
>> We seem to attach negative scores when DKIM is present and valid, but 
>> what about the opposite direction?
>>
>> If it's absent, but it shouldn't be?

On 02.05.23 08:37, Thomas Johnson wrote:
> If there’s no dkim signature, you can’t check for dkim records in dns.  
> The selector for a dkim signature is arbitrary - there’s no one dns lookup 
> you can do to see all possible dkim records for a domain.

a trick: if _domainkeys.example.com exists (returns anything but NXDOMAIN), 
we may assume that at least DKIM records exist.

I just have no idea how to test this in SA (at least not within rule).


-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Atheism is a non-prophet organization.

Re: DKIM absence

[Thomas Johnson <tj...@terramar.net>]

> On May 2, 2023, at 8:27 AM, Philip Prindeville <ph...@redfish-solutions.com> wrote:
> 
> Is there a way to add scoring that says, "If the sending domain has DKIM records, but there's no DKIM signature on this message, then attach a high score to it?"
> 
> We seem to attach negative scores when DKIM is present and valid, but what about the opposite direction?
> 
> If it's absent, but it shouldn't be?
> 


If there’s no dkim signature, you can’t check for dkim records in dns. The selector for a dkim signature is arbitrary - there’s no one dns lookup you can do to see all possible dkim records for a domain. 

You can use ADSP - it’s old and I don’t know how many domains have ADSP records these days, but it lets a domain specify that all mail must be dkim signed to be considered valid.  

We tell our customers to add an ADSP record, and we use it when checking their incoming mail to help identify forgeries. I don’t know that it helps much with mail from non-customers, though.  I’ll have to check and see how often our rules hit for that. 

Re: DKIM absence

[Benny Pedersen <me...@junc.eu>]

Philip Prindeville skrev den 2023-05-02 17:26:
> Is there a way to add scoring that says, "If the sending domain has
> DKIM records, but there's no DKIM signature on this message, then
> attach a high score to it?"
> 
> We seem to attach negative scores when DKIM is present and valid, but
> what about the opposite direction?
> 
> If it's absent, but it shouldn't be?

sure just make a dkim test for specifik dkim domain, then add high score 
if matched

this require dkim pass, eq it does not work for none

test it in sandbox