DKIM verification by Authentication-Results header

[tomkicamp]

Hello, an alternative (or additional) way to provide the DKIM verification result (along with SPF and DMARC) could be to parse an Authentication-Result header if one was inserted by a trusted source such as the host which email is being downloaded from. An example A-R header inserted by Google: Authentication-Results: mx.google.com; spf=neutral (google.com: 216.145.54.173 is neither permitted nor denied by domain of foo@yahoo-inc.com) smtp.mail=foo@yahoo-inc.com; dkim=pass header.i=@yahoo-inc.com; dmarc=pass (p=REJECT dis=NONE) header.from=yahoo-inc.com

[lieser]

Hello, I was already aware of this, but have not implemented it yet because of the following reasons: For DKIM, besides a maybe little faster showing of the result, I see no advantage over a local verification. For SPF and DMARC, I personally am not really interested in the result.

I'm a little unsure if this was only meant to inform me about this or if you are actually interested in it. If you want this to be added in this add-on (or want another add-on what simply shows the content of this header, without local verification) please say so. It should not really be hard to do so, thought it may take some time.

You may also be interested in the MailHops add-on. Thought it main purpose is something different, it shows the DKIM and SPF part of this header.

[tomkicamp]

Hello Lieser, I am generally interested, but you may consider me just a commenting bystander. :) I thought to mention the idea of the A-R header because it might be faster as you noted, but also because it might provide a positive result in scenarios where local delivery might have corrupted the message, resulting in a DKIM-verification failure. I did also mention it in thought that if you were interested you could also use that avenue to expand the plugin into the area of indicating true DMARC failure because you might then also be able to determine that both SPF and DKIM failed. Admittedly my most desirable plugin is one which shows pass/fail results for all of DKIM/SPF/DMARC.

[lieser]

Local SPF verification will probably not be add anytime soon, if ever (unless someone volunteers to add it). As DMARC requires SPF, it will only be added after SPF.

I will add the reading of the A-R header for DKIM, SPF and DMARC, thought I may take some time. I'm thinking of adding the result of SPF and DMARC in the same header row the DKIM result is currently shown, similar to how it's done in the MailHops add-on. If you can thing of any better way on how to present the result, please say so.

[lieser]

I have added the reading of the Authentication-Results header. Would be nice if you could test the pre-release version 1.3.0pre3 (https://github.com/lieser/dkim_verifier/releases).

[tomkicamp]

I did that this morning.

A message I just received resulted in ‘internal error’ displaying in the DKIM field. I don’t know if this is new, but I have not noticed it previously. Please contact me off-list for a copy of the message, which I do not care to share publicly. :)

regards, —Tomki

From: lieser notifications@github.com Reply-To: lieser/dkim_verifier <reply@reply.git hub.com> Date: Thursday, September 11, 2014 at 5:22 To: lieser/dkim_verifier dkim_verifier@noreply.github.com Cc: Tomki Camp tcamp@agari.com Subject: Re: [dkim_verifier] DKIM verification by A-R header (#31)

I have added the reading of the Authentication-Results header. Would be nice if you could test the pre-release version 1.3.0pre3 (https://github.com/lieser/dkim_verifier/releases).

— Reply to this email directly or view it on GitHub https://github.com/lieser/dkim_verifier/issues/31#issuecomment-55255971 .

[pierky]

Hi tomkicamp, I had that problem too but I think that lieser fixed it with commit 1481da1179b4900e32d04fc5afa190808355a762.

[lieser]

If the used version is 1.3.0pre2 is most probably the reason, but it should be fixed already in version 1.3.0pre3.

[tomkicamp]

I do have 1.3.0pre3 installed.

this is the feedback from debug:

Timestamp: 9/11/14, 17:26:11 Error: 2014-09-11 17:26:11 DKIM_Verifier.Display FATAL Error: no match (resource://dkim_verifier/ARHParser.jsm:249:2) JS Stack trace: match@ARHParser.jsm:249:3 < parseResinfo@ARHParser.jsm:186:2 < _ARHParser_parse@ARHParser.jsm:161:4 < getARHResult@AuthVerifier.jsm:166:7 < _authVerifier_verify/promise<@AuthVerifier.jsm:110:4 < Handler.prototype.process@Promise-backend.js:863:11 < this.PromiseWalker.walkerLoop@Promise-backend.js:742:7

Source File: resource://gre/modules/Log.jsm Line: 760

From: lieser notifications@github.com Reply-To: lieser/dkim_verifier <reply@reply.git hub.com> Date: Thursday, September 11, 2014 at 11:59 To: lieser/dkim_verifier dkim_verifier@noreply.github.com Cc: Tomki Camp tcamp@agari.com Subject: Re: [dkim_verifier] DKIM verification by A-R header (#31)

If the used version is 1.3.0pre2 is most probably the reason, but it should be fixed already in version 1.3.0pre3.

— Reply to this email directly or view it on GitHub https://github.com/lieser/dkim_verifier/issues/31#issuecomment-55311227 .

[lieser]

Could you please post the content of the Authentication-Results header?

[tomkicamp]

Authentication-Results: ironport.turtlesys.net; dkim=pass (signature verified) header.i=@yipnet.com; dmarc=pass (p=none dis=none) d=yipnet.com

From: lieser notifications@github.com Reply-To: lieser/dkim_verifier <reply@reply.git hub.com> Date: Thursday, September 11, 2014 at 17:33 To: lieser/dkim_verifier dkim_verifier@noreply.github.com Cc: Tomki Camp tcamp@agari.com Subject: Re: [dkim_verifier] DKIM verification by A-R header (#31)

Could you please post the content of the Authentication-Results header?

— Reply to this email directly or view it on GitHub https://github.com/lieser/dkim_verifier/issues/31#issuecomment-55347946 .

[lieser]

The Authentication-Results header has a wrong syntax (the d=yipnet.com is invalid. Should probably be header.d=yipnet.com), creating the error. Thought this still should not result in an Internal error so I will fix this.

[tomkicamp]

I see. Actually it should be header.from=domain.com right?

I will report this to Cisco; the problem in a header inserted by the Cisco IronPort appliance.

From: lieser notifications@github.com Reply-To: lieser/dkim_verifier <reply@reply.git hub.com> Date: Thursday, September 11, 2014 at 17:59 To: lieser/dkim_verifier dkim_verifier@noreply.github.com Cc: Tomki Camp tcamp@agari.com Subject: Re: [dkim_verifier] DKIM verification by A-R header (#31)

The Authentication-Results header has a wrong syntax (the d=yipnet.com is invalid. Should probably be header.d=yipnet.com), creating the error. Thought this still should not result in an Internal error so I will fix this.

— Reply to this email directly or view it on GitHub https://github.com/lieser/dkim_verifier/issues/31#issuecomment-55349681 .

[lieser]

In case the property d=yipnet.com is referring to the domain of the From address: Like you suggested, header.from=domain.com would be the right way to do it.

In case the property d=yipnet.com is referring to the signer of th DKIM signature: To my knowledge there is currently no specified way to do this for DMARC. But because for DKIM either header.d=domain.com or header.i=@domain.com is used, this would probably be the best way to do it at the moment. Note that Google seems to use header.i=@domain.com for it.

[lieser]

A new pre-release is available at https://github.com/lieser/dkim_verifier/releases.

[tomkicamp]

The error is no longer present with the pre-release 4.

I do see a message now such as “Invalid (should be signed by pge.com)” even when there is no DKIM signature in the message - is this another side-effect of the A-R header? Actually it does not seem to be, because I turned off A-R evaluation and no force reevaluation and no change. pge.com is not in the signers lists that I could find. Authentication-Results: ironport.turtlesys.net; dkim=neutral (message not signed) header.i=none; dmarc=fail (p=none dis=none) d=pge.com

From: Philippe Lieser notifications@github.com Reply-To: lieser/dkim_verifier <reply@reply.git hub.com> Date: Friday, September 12, 2014 at 10:11 To: lieser/dkim_verifier dkim_verifier@noreply.github.com Cc: Tomki Camp tcamp@agari.com Subject: Re: [dkim_verifier] DKIM verification by A-R header (#31)

A new pre-release is available at https://github.com/lieser/dkim_verifier/releases.

— Reply to this email directly or view it on GitHub https://github.com/lieser/dkim_verifier/issues/31#issuecomment-55433107 .

[lieser]

Do you have Use DMARC to heuristically determinate if an e-mail should be signed enabled? This option can produce false results. Either make a sign rule for the domain saying it does not have to be signed (rule type 2) or disable the option.

[tomkicamp]

Yes, that was it.

From: Philippe Lieser notifications@github.com Reply-To: lieser/dkim_verifier <reply@reply.git hub.com> Date: Friday, September 12, 2014 at 17:32 To: lieser/dkim_verifier dkim_verifier@noreply.github.com Cc: Tomki Camp tcamp@agari.com Subject: Re: [dkim_verifier] DKIM verification by Authentication-Results header (#31)

Do you have Use DMARC to heuristically determinate if an e-mail should be signed enabled? This option can produce false results. Either make a sign rule for the domain saying it does not have to be signed (rule type 2) or disable the option.

— Reply to this email directly or view it on GitHub https://github.com/lieser/dkim_verifier/issues/31#issuecomment-55475926 .