[ietf-dkim] Statistics about DKIM and MIME
Murray S. Kucherawy
msk at cloudmark.com
Mon Oct 25 10:01:29 PDT 2010
> -----Original Message-----
> From: John R. Levine [mailto:johnl at iecc.com]
> Sent: Monday, October 25, 2010 8:07 AM
> To: Murray S. Kucherawy
> Cc: ietf-dkim at mipassoc.org
> Subject: Re: [ietf-dkim] Statistics about DKIM and MIME
> > The one that stands out is "multipart/signed" (from RFC1847) which drops
> > to about a 65% survival rate. I don't know much about how this is
> > typically formatted or treated enroute, but it was easily the biggest
> > outlier in the report. Not sure if that should be a surprise to us or not.
> I'm surprised. That suggests something often adds the S/MIME signature
> after the DKIM signature, but as far as I know, S/MIME signatures are
> usually applied by the MUA.
> Do the stats say what kind of failure it was, e.g. body hash or header
Actually it's worse than I said originally. We track pass/fail in two bits, one being whether or not the crypto lined up and the other being whether or not the body hashes matched. Thus, it's possible to get a "pass" coupled with a body hash change. I had only selected for the first bit.
So here are the stats again. The first column is obviously the media type; the second is the count of signatures covering a message with that type as the outermost MIME part; the third column is the number of those that passed in both the crypto and the body hash sense, and the fourth is the pass percentage.
application/ms-tnef 26 23 88.5%
application/pdf 16 16 100%
message/disposition-notification 10 10 100%
message/rfc822 2 2 100%
multipart/alternative 290865 265270 91.2%
multipart/mixed 38509 35370 91.8%
multipart/related 7959 7149 89.8%
multipart/report 958 883 92.2%
multipart/signed 314 86 27.4%
text 13 13 100%
text/calendar 34 32 94.1%
text/html 63144 55880 88.5%
text/plain 72195 55415 76.8%
In the particular case of multipart/signed there were 106 messages where the RSA verification failed, but 122 where it passed but the body hash at the verifier didn't match the one in the signature. So more failures occur from body changes than do from header changes.
More information about the ietf-dkim