Mailing List Archive

SpamAssassin DKIM with Virtual Hosting
I have a question about how SA's DKIM rules apply to virtual hosting. 
If "myhosting.com" hosts and sends mail for "JoesFlowers.com", does SA
check the signature for "myHosting.com", for "JoesFlowers.com", or
both?  Or is there some criteria to determine which domain name should
have the DKIM signature?  Is there a penalty score if one or the other
is missing?
Re: SpamAssassin DKIM with Virtual Hosting [ In reply to ]
Really depends on how ywhat technology you are using for the.dkim
signatures. Hard to predict without knowing more about your setup.

Recommend you send an email as each to cpanelloop@pccc.com if you want to
see how it looks to a well configured SA setup.

Regards, KAM

On Thu, Sep 24, 2020, 00:21 Jerry Malcolm <techstuff@malcolms.com> wrote:

> I have a question about how SA's DKIM rules apply to virtual hosting.
> If "myhosting.com" hosts and sends mail for "JoesFlowers.com", does SA
> check the signature for "myHosting.com", for "JoesFlowers.com", or
> both? Or is there some criteria to determine which domain name should
> have the DKIM signature? Is there a penalty score if one or the other
> is missing?
>
>
Re: SpamAssassin DKIM with Virtual Hosting [ In reply to ]
On Wed, 23 Sep 2020 23:20:26 -0500
Jerry Malcolm wrote:

> I have a question about how SA's DKIM rules apply to virtual hosting.
> If "myhosting.com" hosts and sends mail for "JoesFlowers.com", does
> SA check the signature for "myHosting.com", for "JoesFlowers.com", or
> both? 

Both

> Or is there some criteria to determine which domain name
> should have the DKIM signature?  Is there a penalty score if one or
> the other is missing?

It's doesn't make much difference, unless there's a whitelist involved.
Re: SpamAssassin DKIM with Virtual Hosting [ In reply to ]
>

> > Or is there some criteria to determine which domain name
> > should have the DKIM signature? Is there a penalty score if one or
> > the other is missing?
>
> It's doesn't make much difference, unless there's a whitelist involved.

If you publish a DMARC record, DMARC requires that the DKIM signing domain be
aligned with the From: header domain in order to pass. SA doesn't currently
check DMARC I don't think but lots of other receivers do.

And even if you don't want to publish DMARC records now it's probably best
practice to sign with the organizational domain of the From: header. A DKIM
signature from an unrelated domain doesn't really say anything except that the
message wasn't altered in transit.
Re: SpamAssassin DKIM with Virtual Hosting [ In reply to ]
On 9/24/2020 10:54 AM, Alan Hodgson wrote:
>>
>>> Or is there some criteria to determine which domain name
>>> should have the DKIM signature?  Is there a penalty score if one or
>>> the other is missing?
>> It's doesn't make much difference, unless there's a whitelist involved.
> If you publish a DMARC record, DMARC requires that the DKIM signing
> domain be aligned with the From: header domain in order to pass. SA
> doesn't currently check DMARC I don't think but lots of other
> receivers do.
>
> And even if you don't want to publish DMARC records now it's probably
> best practice to sign with the organizational domain of the From:
> header. A DKIM signature from an unrelated domain doesn't really say
> anything except that the message wasn't altered in transit.

Thanks Alan,

I wasn't really sure if the rDNS domain was more important than the
from: header domain.  Thanks for clearing that up.

Jerry
Re: SpamAssassin DKIM with Virtual Hosting [ In reply to ]
Jerry Malcolm wrote:
> I have a question about how SA's DKIM rules apply to virtual hosting. If
> "myhosting.com" hosts and sends mail for "JoesFlowers.com", does SA check
> the signature for "myHosting.com", for "JoesFlowers.com", or both? Or is
> there some criteria to determine which domain name should have the DKIM
> signature? Is there a penalty score if one or the other is missing?

Let's pick apart your message to the list and see! :-)

I'll abbreviate it just a little bit.

Authentication-Results: havoc.proulx.com;
dkim=pass (1024-bit key; unprotected) header.d=jwmhosting.com header.i=@jwmhosting.com
header.b="VrBX7ycz";
dkim-atps=neutral
Authentication-Results: spamproc1-he-fi.apache.org (amavisd-new);
dkim=pass (1024-bit key) header.d=jwmhosting.com
From: Jerry Malcolm <techstuff@malcolms.com>
Subject: SpamAssassin DKIM with Virtual Hosting
To: users@spamassassin.apache.org
DKIM-Signature: a=rsa-sha256;
b=VrBX7yc...;
s=primary; c=relaxed/relaxed; d=jwmhosting.com; v=1;
bh=8hMHDvIq9NslBFwLfwAyXNkqCHwBG5DBig+Bak+au5E=;
h=Message-ID:Date:Subject:From:To:MIME-Version:Content-Type;

In the signature it says s=primary that's the selector and
d=jwmhosting.com so that is the domain.

host -t txt primary._domainkey.jwmhosting.com
primary._domainkey.jwmhosting.com descriptive text "k=rsa; p=MIGfMA0..."

The h= headers were included in the signature created the b= and bh=
body hash of the message corresponding to the key obtained by that
selector in that domain. Then as the message passed through various
systems they added a tracing header that the dkim=pass status was
noted along the way. All of the way to my receiving system. Whew!

But as you can see with regards to your question is that it means that
one can mix and match the s= selector and d= domain with the message
header. On a technical level if I have example.net and example.org I
could have example.net sign a key for example.org. But is that really
useful?

As I understand it if the domain does not match the domain in the
"From:" header then it should be ignored as if the dkim signature were
not provided. But being a policy issue I am sure there will be
variances. And I only very imperfectly understand the policy, what it
allows and what it denies.

But that means that mail From: joe@JoesFlowers.com should have a DKIM
which signs for the JoesFlowers.com domain and the txt record should
post a key for selector._domainkey.joesflowers.com so that everything
matches.

I like using the check-auth@verifier.port25.com automated test
facility to report on configurations. Send a mail there and an
automated report will be returned.

Bob
Re: SpamAssassin DKIM with Virtual Hosting [ In reply to ]
>> > Or is there some criteria to determine which domain name
>> > should have the DKIM signature? Is there a penalty score if one or
>> > the other is missing?
>>
>> It's doesn't make much difference, unless there's a whitelist involved.

On 24.09.20 08:54, Alan Hodgson wrote:
>If you publish a DMARC record, DMARC requires that the DKIM signing domain be
>aligned with the From: header domain in order to pass. SA doesn't currently
>check DMARC I don't think but lots of other receivers do.

It's not necessary if the SPF passes just for completeness.
It's of course better to have mail signed by matching domain.

>And even if you don't want to publish DMARC records now it's probably best
>practice to sign with the organizational domain of the From: header. A DKIM
>signature from an unrelated domain doesn't really say anything except that the
>message wasn't altered in transit.

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #98652: Operation completed successfully.
Re: SpamAssassin DKIM with Virtual Hosting [ In reply to ]
Bob... wow.  I really appreciate the analysis.  This is (or will be as
soon as dig into everything you've explained) incredibly useful.  Thank
you so much.

Jerry

On 9/24/2020 8:23 PM, Bob Proulx wrote:
> Jerry Malcolm wrote:
>> I have a question about how SA's DKIM rules apply to virtual hosting. If
>> "myhosting.com" hosts and sends mail for "JoesFlowers.com", does SA check
>> the signature for "myHosting.com", for "JoesFlowers.com", or both? Or is
>> there some criteria to determine which domain name should have the DKIM
>> signature? Is there a penalty score if one or the other is missing?
> Let's pick apart your message to the list and see! :-)
>
> I'll abbreviate it just a little bit.
>
> Authentication-Results: havoc.proulx.com;
> dkim=pass (1024-bit key; unprotected) header.d=jwmhosting.com header.i=@jwmhosting.com
> header.b="VrBX7ycz";
> dkim-atps=neutral
> Authentication-Results: spamproc1-he-fi.apache.org (amavisd-new);
> dkim=pass (1024-bit key) header.d=jwmhosting.com
> From: Jerry Malcolm <techstuff@malcolms.com>
> Subject: SpamAssassin DKIM with Virtual Hosting
> To: users@spamassassin.apache.org
> DKIM-Signature: a=rsa-sha256;
> b=VrBX7yc...;
> s=primary; c=relaxed/relaxed; d=jwmhosting.com; v=1;
> bh=8hMHDvIq9NslBFwLfwAyXNkqCHwBG5DBig+Bak+au5E=;
> h=Message-ID:Date:Subject:From:To:MIME-Version:Content-Type;
>
> In the signature it says s=primary that's the selector and
> d=jwmhosting.com so that is the domain.
>
> host -t txt primary._domainkey.jwmhosting.com
> primary._domainkey.jwmhosting.com descriptive text "k=rsa; p=MIGfMA0..."
>
> The h= headers were included in the signature created the b= and bh=
> body hash of the message corresponding to the key obtained by that
> selector in that domain. Then as the message passed through various
> systems they added a tracing header that the dkim=pass status was
> noted along the way. All of the way to my receiving system. Whew!
>
> But as you can see with regards to your question is that it means that
> one can mix and match the s= selector and d= domain with the message
> header. On a technical level if I have example.net and example.org I
> could have example.net sign a key for example.org. But is that really
> useful?
>
> As I understand it if the domain does not match the domain in the
> "From:" header then it should be ignored as if the dkim signature were
> not provided. But being a policy issue I am sure there will be
> variances. And I only very imperfectly understand the policy, what it
> allows and what it denies.
>
> But that means that mail From: joe@JoesFlowers.com should have a DKIM
> which signs for the JoesFlowers.com domain and the txt record should
> post a key for selector._domainkey.joesflowers.com so that everything
> matches.
>
> I like using the check-auth@verifier.port25.com automated test
> facility to report on configurations. Send a mail there and an
> automated report will be returned.
>
> Bob