|
This article is the first in an occasional series on DKIM/ADSP edge cases that may not be generally recognized or understood.
Many people advocate DKIM/ADSP adoption without fully recognizing potential implementation and operational issues. The fact is that the email messaging environment is fraught with opportunities for poor outcomes because of common practices that need to be considered or poorly understood implementations that are not considered. This is especially true at this point with efforts to implement ADSP in conjunction with DKIM. For organizations considering implementing strong authentication assertions such as an ADSP “ALL” or “DISCARDABLE”, one can never be too cautious.
A case in point is the message-id header. One typically expects to find a message-id header in an email message. It is not however a mandatory (MUST) header. RFC822 specifically identifies it as an optional header. RFC2822 and RFC5322 raise the bar further by stating that messages SHOULD have a message-id. A SHOULD however is not a MUST.
In many cases an mail transfer agent (MTA) or relay will add a message-id if one is not already present when the message is received.
So what happens in a case where a homegrown (Perl, Python, etc.) application or commercial application is used to generate email messages but by default it does not generate a message-id? Generally, Some MTA that handles the message adds the missing header. No harm, no foul.
As the email community introduces authentication approaches such as DKIM/ADSP, the risks start to mount. When we look at the standard headers that many DKIM implementations sign in their default mode, we find that message-id is one of those headers. If the signing host/device/application does not check to make sure that a message-id is present prior to signing, the non-present message-id header may still be signed (by inclusion in “h=”). When a helpful MTA subsequently adds the missing message-id header, the signature is broken and subsequent attempts to validate the signature will fail.
It should also be considered that the helpful MTA may be an intermediary which has no direct relationship with either the sender or the receiver.
At least one inbound mail system implementer is currently adding a message-id on arriving email before validating the DKIM signature. Validation fail! It is not clear how many other implementations might behave in a similar manner. The purpose of this article and recommendations is not to describe the issue in terms of right or wrong. It is to document the issue and identify ways that senders, receivers and vendors might mitigate the issue in the context of DKIM/ADSP signing, asserting and validating.
For the sending/signing organization, the following steps can be taken to minimize the risks of this particular case:
For the receiving/validating organization, always checking/validating what is signed (h=) by the DKIM signature BEFORE making any modifications to the message is one way of reducing the risk of broken signatures and validation failures induced on the receiving side.
For vendors, examining their implementations on both the sending and receiving side and considering mitigating steps in default installations would be a positive step. One approach would be to ensure there is a message-id before including message-id in the “h=” tag regardless of whether this is enabled generally. Another approach might be to give a warning at the time DKIM signing is configured.
This issue came to light as a result of an application that had been in production for years getting broken such that message-id’s were no longer being generated. The DKIM signing process was implemented at the border without any logic to ensure that messages leaving the organization did not have a signed but non-present message-id header.
Some might assert that an organization should never DKIM sign a non-existent message-id header. At this time it is not clear, at least to me, that this is absolutely true. The implications of signing versus not signing under these circumstances certainly merit a healthy discussion before a verdict is reached.
Longer term, it may be that the community should consider modifying the message-id header from a SHOULD to a MUST when a successor to RFC5322 is considered.
I’d like to thank Mark Martinec for helping to bring this issue to light as a consequence of his work on the Spamassassin DKIM plugin support for domain signing practices (ADSP), with overrides.
Sponsored byRadix
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byDNIB.com
Good insights, Mike (and Mark). I’d probably approach this problem differently, and suggest that DKIM signing implementations not include non-existent header fields in the h= list unless there is a real threat from someone adding a header field that they’re trying to counter.
DKIM does its best to accommodate a lot of things that mail systems might do. Mail systems are unlikely to change to accommodate DKIM, especially at this stage in DKIM’s lifecycle.
Jim, Mark's response to me was the same as yours regarding signing non-existent header fields - specifically message-id. I'm a little more hesitant because I haven't yet thought through the potential for abuse of an unsigned message-id field (or for that matter, many other fields) in this sort of context. I'd also point to Hector Santos response on the IETF-DKIM list which is basically the opposite of your position (that is, intermediary and receiving systems should not be adding these sorts of headers, period). To be honest, I'm not sure how big of an issue this is in terms of scope. This is one of the reasons I included comments directed towards vendors. For someone implementing their own code or comfortable with Open Source, I tend to say Caveat Emptor - that is, the warning should be sufficient for them to exercise appropriate care. For many implementors though, they will be at the mercy of the vendor design. If the default checkbox from the vendor says "sign standard headers" for DKIM, will the average customer delve any deeper? Obviously, for anyone making an ADSP assertion and falling into this type of situation it could potential be fairly painful. It is also potentially painful for receivers that end up taking enduser complaints. So implementors should check their implementation, vendors should consider how they design what they provide, intermediaries should exercise care and receivers should consider the implications of what their inbound MTAs/systems are doing. I agree with you that mail systems are unlikely to change..... until people get bit by something. How long did it take for the email system overall to generally move away from the notion of open relays? Even today we can find them. Mike