[mail-vet-discuss] Last Call: draft-kucherawy-sender-auth-header (Message Header Field for Indicating Message Authentication Status) to Proposed Standard

Jim Fenton fenton at cisco.com
Tue Dec 2 09:48:08 PST 2008 

Lisa Dusseault wrote:
>
>
> On Mon, Dec 1, 2008 at 11:33 PM, Murray S. Kucherawy <msk at sendmail.com
> <mailto:msk at sendmail.com>> wrote:
>
>
>       Current wisdom among [DKIM] verifier implementations is to avoid
>       taking final filtering actions such as rejecting messages based on a
>       "fail" result, as there are plenty of legitimate reasons a signed
>       message might fail to verify.  Instead, such messages should
>       generally be treated as though they were not signed at all.  Thus, a
>       verifier MAY elect to report "neutral" in place of "fail" to
>       discourage needlessly harsh reactions from downstream agents.
>
> This seems like a bad idea to me; verifiers can always say whatever
> they like but encouraging them to report less accurate information
> seems like a poor choice for the long term compared to  just reporting
> the most accurate status.  Why would we recommend verifiers "lie"
> instead of recommending downstream agents to consider accepting failed
> signatures?

As I said to Murray, I'm a little sensitized to this issue because I
have been working with two different domains that are rejecting messages
when they have broken DKIM signatures.

RFC 4871 sec. 6.1 says, "Verifiers SHOULD ignore any DKIM-Signature
header fields where the signature does not validate."  My concern is
that if the verifier reports "fail", it's not really ignoring the broken
signature.

It's really a question of where the "ignoring" takes place:  in the
verifier, or downstream.  I'd be happy with leaving the "fail" result if
we add text to the effect that the "fail" result is mostly for
diagnostic purposes and that downstream agents SHOULD treat "fail" the
same as "neutral".

I had forgotten about that text in section 6.1; I thought we had
deferred on that issue until the overview or operations documents, and
had suggested stronger wording to Murray because I thought we didn't
already have something normative.  (Apologies, Murray).

-Jim

More information about the mail-vet-discuss mailing list