DK_POLICY_SIGNSOME

[Rob Sterenborg <R....@netsourcing.nl>]

Hi,

I was looking around to see if I could find what

DK_POLICY_SIGNSOME
Domain Keys: policy says domain signs some mails

actually means, but I can't find it.

When I send an email fromy work email address to my home email server,
this rule is hit for that email, but I'm quite sure that we have never
signed email using DK(IM) so I'm wondering: when exactly does an email
hit this rule?


Thanks,
Rob

Re: DK_POLICY_SIGNSOME

[Dave Mifsud <da...@um.edu.mt>]

On 06/08/07 12:52, Rob Sterenborg wrote:
> ... I'm wondering: when exactly does an email
> hit this rule?
> 

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5485

-- 
Dave Mifsud
Systems Engineer
Computing Services Centre
University of Malta

CSC Tel: (+356) 2340 3004      CSC Fax: (+356) 21 343 397

Re: DK_POLICY_SIGNSOME

[Mark Martinec <Ma...@ijs.si>]

Rob,

> > Yes, this is normal. An absence of a policy record implies
> > a default policy, which is a neutral 'signs some mail'.
>
> Personally, I find it strange to call 'signs some mail' neutral if
> there's nothing that indicates that we might actually do 'sign some
> mail'. But I haven't read all docs about the subject so I guess there's
> a reason for it of this is assumed.

It is a consequence of the requirement that a failed signature verification
MUST be indistinguishable from an absent signature.

Btw, the draft-ietf-dkim-ssp-00 (which is applicable to DKIM and
fills the same role as a policy record in DK) offers similar choices:

  unknown (default) The entity may sign some or all email.

  all     All mail from the entity is signed; unsigned email MUST be
          considered Suspicious ...

  strict  All mail from the entity is signed; messages lacking a
          valid Originator Signature MUST be considered Suspicious...

Mark

Re: DK_POLICY_SIGNSOME

[Mark Martinec <Ma...@ijs.si>]

Kai,

> Mark Martinec wrote on Tue, 7 Aug 2007 10:22:22 +0200:
> > Domains which choose a default policy are not required to publish
> > a policy (or SSP) record. Penalizing them for choosing not
> > to explicitly publish what is a default anyway, would be unjust.

> I think that's not the point.

> The point is to distinguish between using DomainKeys
> and not using DomainKeys. 

Right. And the only two things that matter here are (not going
into third-party signing difficulties here):
- either a mail carries a VALID signature from the sender
  (in which case his reputation may be taken into account),
- or else, the published policy indicates the sending domain
  is signing ALL mail (in which case we know a message is fake).

Any other combination is equivalent to a classical mail situation.
Not being so offers a free gift to spammers, e.g. making a distinction
between an invalid and absent signature (a spammer just inserts some junk 
signature), or making a distinction between explicit neutral and implicit 
(defaulted) policy (a spammer just fakes any sending domain which has
a signing policy that suits him).

> At the moment a domain that doesn't 
> use domainkeys is looked at as having default policy "may sign some".
> Frankly, I find this whole portion in the RFC badly flawed. It's an
> implicit opt-in which is considered bad in other circumstances (you know
> what I mean ...). I consider it bad here, too.

The default falls back to a classical non-signed mail situation.

  Mark

Re: DK_POLICY_SIGNSOME

[Kai Schaetzl <ma...@conactive.com>]

Mark Martinec wrote on Tue, 7 Aug 2007 10:22:22 +0200:

> Domains which choose a default policy are not required to publish
> a policy (or SSP) record. Penalizing them for choosing not
> to explicitly publish what is a default anyway, would be unjust.

I think that's not the point. The point is to distinguish between using 
DomainKeys and not using DomainKeys. At the moment a domain that doesn't 
use domainkeys is looked at as having default policy "may sign some".
Frankly, I find this whole portion in the RFC badly flawed. It's an 
implicit opt-in which is considered bad in other circumstances (you know 
what I mean ...). I consider it bad here, too.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: DK_POLICY_SIGNSOME

[Mark Martinec <Ma...@ijs.si>]

Dan,

> > Yes, this is normal. An absence of a policy record implies
> > a default policy, which is a neutral 'signs some mail'.
>
> True, but perhaps, SA could hit a different rule when encountering the
> EXPLICIT "signsome" policy versus the IMPLICIT, i.e.
> DK_POLICY_SIGNSOME_DEFAULT or something similar?  (With corresponding
> explanation tests).

Domains which choose a default policy are not required to publish
a policy (or SSP) record. Penalizing them for choosing not
to explicitly publish what is a default anyway, would be unjust.

Favourizing a domain just for having a published neutral policy record
would soon get noticed by spammers, who are the first to take advantage
of any such opportunities.

  Mark

Re: [sa-list] Re: DK_POLICY_SIGNSOME

["Dan Mahoney, System Admin" <da...@prime.gushi.org>]

On Mon, 6 Aug 2007, Mark Martinec wrote:

> Rob,
>
>>> When the domainkey policy record for the domain in question says the
>>> domain signs some of its email.
>>
>> Heheh.. Yeah, I guessed that much, but, we *don't* sign email. Not
>> DK(IM) or anything else.
>
> Yes, this is normal. An absence of a policy record implies
> a default policy, which is a neutral 'signs some mail'.

True, but perhaps, SA could hit a different rule when encountering the 
EXPLICIT "signsome" policy versus the IMPLICIT, i.e. 
DK_POLICY_SIGNSOME_DEFAULT or something similar?  (With corresponding 
explanation tests).

-Dan

--

"Tonite on reboot!  People misspelling as many words with sexual
connotations as possible..."

-Keyo-Chan, February 10th 1999, Undernet #reboot

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------

Re: DK_POLICY_SIGNSOME

[Mark Martinec <Ma...@ijs.si>]

Rob,

> > When the domainkey policy record for the domain in question says the
> > domain signs some of its email.
>
> Heheh.. Yeah, I guessed that much, but, we *don't* sign email. Not
> DK(IM) or anything else.

Yes, this is normal. An absence of a policy record implies
a default policy, which is a neutral 'signs some mail'.

The DK_POLICY_SIGNSOME doesn't carry by itself any information worth scoring.
It is there mostly for completeness, or perhaps for use in metarules.

> Dave Mifsud wrote:
> > http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5485
> I guess this is it.

Right.

See also the:
  http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5519
which explains why a rule is listed even if it scored 0.
To be fixed in 3.2.3 (or apply the patch manually to 3.2.2).

  Mark

RE: DK_POLICY_SIGNSOME

[Rob Sterenborg <R....@netsourcing.nl>]

Matt Kettler wrote:
> Rob Sterenborg wrote:
>> Hi,
>> 
>> I was looking around to see if I could find what
>> 
>> DK_POLICY_SIGNSOME
>> Domain Keys: policy says domain signs some mails
>> 
>> actually means, but I can't find it.
>> 
>> When I send an email fromy work email address to my home email
>> server, this rule is hit for that email, but I'm quite sure that we
>> have never signed email using DK(IM) so I'm wondering: when exactly
>> does an email hit this rule?
> 
> When the domainkey policy record for the domain in question says the
> domain signs some of its email.

Heheh.. Yeah, I guessed that much, but, we *don't* sign email. Not
DK(IM) or anything else.

> This record is not in the email, it is in the DNS records for the
> domain, and would be a TXT record for _domainkey.example.com.
> 
> Of course, not knowing what your work domain is, I can't check it for
> you, but you can check it using:
> 
> dig txt _domainkey.<insert work domain here>
>
> You should get back an o=~ for "signs some" and o=- for "signs all"

I see..
There is no such record and there's nothing in place signing email.

Dave Mifsud wrote:
> http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5485

I guess this is it.

Thanks for the answers!


Rob

Re: DK_POLICY_SIGNSOME

[Kai Schaetzl <ma...@conactive.com>]

Rob Sterenborg wrote on Mon, 6 Aug 2007 15:38:24 +0200:

> Sorry, I, of course, have no explanation for that.

I didn't demand an explanation from you ;-) was just musing. But thanks 
for the URL. That indeed clarifies that it got used specifically to avoid 
clashes with real hostnames. Btw, it seems the Yahoo answer seems to be a 
result of wildcarding as yahoo.com gives the same IP numbers.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

RE: DK_POLICY_SIGNSOME

[Rob Sterenborg <R....@netsourcing.nl>]

Kai Schaetzl wrote:
> Rob Sterenborg wrote on Mon, 6 Aug 2007 14:32:57 +0200:
> 
>> Didn't look it up but this is not a hostname, is a TXT record so I
>> guess it's treated differently..
> 
> Good explanation, but looking it up I see there *is* an A record
> (actually, two).

Sorry, I, of course, have no explanation for that. What I do know is
that the DK(IM) record is a TXT record, not an A record.

According to this:
http://domainkeys.sourceforge.net/underscore.html
the _ must not be used in hostnames, but can be used in other type
records.


Grts,
Rob

Re: DK_POLICY_SIGNSOME

[Kai Schaetzl <ma...@conactive.com>]

Rob Sterenborg wrote on Mon, 6 Aug 2007 14:32:57 +0200:

> Didn't look it up but this is not a hostname, is a TXT record so I guess
> it's treated differently..

Good explanation, but looking it up I see there *is* an A record 
(actually, two). This may be an error, though. It probably expliticely 
uses the underscore for this purpose as it is forbidden as a hostname. At 
least RFC 4871 tells it's IANA registered, so I shouldn't bother, I guess.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

RE: DK_POLICY_SIGNSOME

[Rob Sterenborg <R....@netsourcing.nl>]

Kai Schaetzl wrote:
> Kai Schaetzl wrote on Mon, 06 Aug 2007 14:03:42 +0200:
> 
>> _domainkey
> 
> BTW, doesn't the use of an underscore in a hostname violate RFC?

Didn't look it up but this is not a hostname, is a TXT record so I guess
it's treated differently..


Grts,
Rob

Re: DK_POLICY_SIGNSOME

[Kai Schaetzl <ma...@conactive.com>]

Kai Schaetzl wrote on Mon, 06 Aug 2007 14:03:42 +0200:

> _domainkey

BTW, doesn't the use of an underscore in a hostname violate RFC?

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: DK_POLICY_SIGNSOME

[Kai Schaetzl <ma...@conactive.com>]

Matt Kettler wrote on Mon, 06 Aug 2007 07:19:16 -0400:

> dig txt _domainkey.<insert work domain here>

doing a

host -t TXT _domainkey.example.com

should do the same, right?

I also started wondering why I see that on so many mails. Actually, it 
seems I get the DK_POLICY_SIGNSOME on all mail that is not whitelisted in 
MailScanner, anyway. 

There must be something going wrong. I checked several domains like you 
advised (I did that before, but didn't know the TXT record is to be found 
under _domainkey) and they either resolve but don't have a TXT record 
(probably multicards) or they don't resolve at all. On the other hand I 
checked yahoo.com and do get a domainkeys record. So, I seem to use the 
correct way to check it.

It looks like this rule hits all mail (probably with the exception of mail 
that does have domainkeys, but I can't currently find one of these).


Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: DK_POLICY_SIGNSOME

[Matt Kettler <mk...@verizon.net>]

Rob Sterenborg wrote:
> Hi,
>
> I was looking around to see if I could find what
>
> DK_POLICY_SIGNSOME
> Domain Keys: policy says domain signs some mails
>
> actually means, but I can't find it.
>
> When I send an email fromy work email address to my home email server,
> this rule is hit for that email, but I'm quite sure that we have never
> signed email using DK(IM) so I'm wondering: when exactly does an email
> hit this rule?

When the domainkey policy record for the domain in question says the
domain signs some of its email.

This record is not in the email, it is in the DNS records for the
domain, and would be a TXT record for _domainkey.example.com.

Of course, not knowing what your work domain is, I can't check it for
you, but you can check it using:

dig txt _domainkey.<insert work domain here>

You should get back an o=~ for "signs some" and o=- for "signs all"