draft-ietf-dkim-implementation-report-02.txt   draft-ietf-dkim-implementation-report-03.txt 
DKIM Working Group M. Kucherawy DKIM Working Group M. Kucherawy
Internet-Draft Cloudmark Internet-Draft Cloudmark
Intended status: Informational October 4, 2010 Intended status: Informational October 11, 2010
Expires: April 7, 2011 Expires: April 14, 2011
RFC4871 Implementation Report RFC4871 Implementation Report
draft-ietf-dkim-implementation-report-02 draft-ietf-dkim-implementation-report-03
Abstract Abstract
This document contains an implementation report for the IESG covering This document contains an implementation report for the IESG covering
DomainKeys Identified Mail (DKIM) in support of the advancement of DomainKeys Identified Mail (DKIM) in support of the advancement of
that specification along the Standards Track. that specification along the Standards Track.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 32 skipping to change at page 1, line 32
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 7, 2011. This Internet-Draft will expire on April 14, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 7 skipping to change at page 3, line 7
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
6. Security Considerations . . . . . . . . . . . . . . . . . . . 14 6. Security Considerations . . . . . . . . . . . . . . . . . . . 14
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
7.1. Normative References . . . . . . . . . . . . . . . . . . . 15 7.1. Normative References . . . . . . . . . . . . . . . . . . . 15
7.2. Informative References . . . . . . . . . . . . . . . . . . 15 7.2. Informative References . . . . . . . . . . . . . . . . . . 15
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 16 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 16
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 17 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 17
1. Introduction 1. Introduction
DomainKeys Identified Mail ([DKIM]), published in May 2007, has DomainKeys Identified Mail (DKIM), published in May 2007, has reached
reached a level of maturity sufficient to consider its advancement a level of maturity sufficient to consider its advancement along the
along the standards track. Enclosed is a summary of collected standards track. Enclosed is a summary of collected interoperability
interoperability data provided from sources that are aggregating such data provided from sources that are aggregating such information as
information as well as from a more formal DKIM interoperability event well as from a more formal DKIM interoperability event that took
that took place in October 2007. place in October 2007.
2. Definitions 2. Definitions
DomainKeys Identified Mail is defined in [DKIM].
Various terms specific to email are used in this document. Their Various terms specific to email are used in this document. Their
definitions and further discussion can be found in [EMAIL-ARCH]. definitions and further discussion can be found in [EMAIL-ARCH].
3. DKIM Interoperability Event 3. DKIM Interoperability Event
In October 2007, Alt-N Technologies of Dallas, Texas hosted an In October 2007, Alt-N Technologies of Dallas, Texas hosted an
interoperability and testing event at their headquarters. Twenty interoperability and testing event at their headquarters. Twenty
organizations sent engineers and their various DKIM implementations organizations sent engineers and their various DKIM implementations
to connect to a private internal network and exchange test messages to connect to a private internal network and exchange test messages
and tabulate observed results. and tabulate observed results.
skipping to change at page 5, line 34 skipping to change at page 5, line 34
Nearly all of the implementations were based on disjoint code Nearly all of the implementations were based on disjoint code
development projects. A few were based on a common open source base development projects. A few were based on a common open source base
project. project.
3.2. Testing Methodology 3.2. Testing Methodology
Participants were encouraged before the event to craft a set of test Participants were encouraged before the event to craft a set of test
messages meant to exercise their own implementations as well as those messages meant to exercise their own implementations as well as those
of the other participants, both in terms of successful verifications of the other participants, both in terms of successful verifications
as well as some expected to fail. Some test cases were developed as well as some expected to fail. Test cases were developed with the
with the intent of confounding verifiers that may not have intent of confounding verifiers that may not have implemented the
implemented the [ABNF] of [DKIM] correctly. [ABNF] of [DKIM] correctly.
The participants set up Mail Transfer Agents (MTAs) equipped with The participants set up Mail Transfer Agents (MTAs) equipped with
their own DKIM signing and verifying modules, and their own tools to their own DKIM signing and verifying modules, and their own tools to
generate mail to be signed along with tools to analyze the results generate mail to be signed along with tools to analyze the results
post-verification. They then sent their own batteries of test post-verification. They then sent their own batteries of test
messages, looking for both expected and unexpected failures in messages, looking for both expected and unexpected failures in
response. Some implementations included "auto-responders" that would response. Some implementations included "auto-responders" that would
reply with verification results, while others simply collected the reply with verification results, while others simply collected the
results that would then be shared manually. results that would then be shared manually.
skipping to change at page 6, line 19 skipping to change at page 6, line 19
implementations presented for testing. In such cases the developers implementations presented for testing. In such cases the developers
were able to identify the issue as resulting from their own mis- were able to identify the issue as resulting from their own mis-
reading of the specification and not an error in the specification reading of the specification and not an error in the specification
itself. itself.
Several of the failures did occur as a result of specification Several of the failures did occur as a result of specification
ambiguities. The participants discussed each of these in turn and ambiguities. The participants discussed each of these in turn and
were able to come to consensus on how they believed the specification were able to come to consensus on how they believed the specification
should be changed to resolve them. should be changed to resolve them.
The participants agreed to keep the results about the specific tests
private. Accordingly, those data are not presented here.
3.4. Results 3.4. Results
The handful of interoperability issues described above that referred The handful of interoperability issues described above that referred
to weaknesses or ambiguities in [DKIM] resulted in several errata to weaknesses or ambiguities in [DKIM] resulted in several errata
being opened via the RFC Editor web site. These are being addressed being opened via the RFC Editor web site. These are being addressed
in an RFC4871bis draft effort that is now starting from within the in an RFC4871bis draft effort that is now starting from within the
DKIM working group. DKIM working group.
The errata items, in summary: The errata items, in summary:
skipping to change at page 9, line 39 skipping to change at page 9, line 39
of the time; "z=" was seen 4.8% of the time. of the time; "z=" was seen 4.8% of the time.
Body Length Limits: Of the signatures for which "l=" was used, 6.4% Body Length Limits: Of the signatures for which "l=" was used, 6.4%
of them signed none of the body, and 100% of the rest had the body of them signed none of the body, and 100% of the rest had the body
extended after signing. extended after signing.
Signature Pass Rates: Overall, 89.9% of observed signatures were Signature Pass Rates: Overall, 89.9% of observed signatures were
successfully verified. successfully verified.
Pass Rates for Non-List Mail: Where "list mail" is defined as any Pass Rates for Non-List Mail: Where "list mail" is defined as any
mail not bearing one of the header fields defined in [LIST-ID] or mail bearing one of the header fields defined in [LIST-ID] or in
in [LIST-URLS], or a "Precedence: list" field, selecting only for [LIST-URLS], or a "Precedence: list" field, selecting only for
mail that is not list mail revealed a successful verification rate mail that is not list mail revealed a successful verification rate
of 93.6%; selecting only for list mail produced a 84.7% success of 93.6%; selecting only for list mail produced a 84.7% success
rate. rate.
DNSSEC: Only one reporting site is currently checking for DNSSEC on DNSSEC: Only one reporting site is currently checking for DNSSEC on
keys retrieved from the DNS. It found no signed keys. keys retrieved from the DNS. It found no signed keys.
Common errors: The top five verification errors observed: Key not Common errors: The top five verification errors observed: Key not
found in DNS (20.3%), key granularity mismatch (14.2%), DNS found in DNS (20.3%), key granularity mismatch (14.2%), DNS
retrieval failure such as timeouts (1.8%), key revoked (1.7%), retrieval failure such as timeouts (1.8%), key revoked (1.7%),
skipping to change at page 11, line 28 skipping to change at page 11, line 28
Key retrieval errors: 14 million (1%) Key retrieval errors: 14 million (1%)
Signature refers to nonexistent domain: 10 million (0.7%) Signature refers to nonexistent domain: 10 million (0.7%)
Signature refers to nonexistent key: 36 million (2.5%) Signature refers to nonexistent key: 36 million (2.5%)
Signature refers to revoked key: 138,000 (~0% ) Signature refers to revoked key: 138,000 (~0% )
Verified signatures: 1.2 billion (85.7%) Verified signatures: 1.2 billion (85.7%)
AUID matches From: domain: 1.2 billion (85.7%)
Failed signatures (body changed): 78 million (5.6%) Failed signatures (body changed): 78 million (5.6%)
Failed signatures (other): 34 million (2.4%) Failed signatures (other): 34 million (2.4%)
Expired signatures: less than 1 million (~0%) Expired signatures: less than 1 million (~0%)
4.3. Google Mail Data 4.3. Google Mail Data
Google Mail reports the following: Google Mail reports the following:
Unsigned mail: 72.1% Unsigned mail: 72.1%
AUID matches From: domain: 68.7%
Signed mail that verified: 14.7% Signed mail that verified: 14.7%
Signed mail that verified in test mode: 11.7% Signed mail that verified in test mode: 11.7%
Signed mail that failed: 0.2% Signed mail that failed: 0.2%
Signed mail that failed in test mode: 0.2% Signed mail that failed in test mode: 0.2%
Body hash mismatch: 0.5% Body hash mismatch: 0.5%
Signature missing required parameters: 0.3% Signature missing required parameters: 0.3%
Granularity mismatch: 0.2% Granularity mismatch: 0.2%
These data are reported based on an implementation that only
evaluates one signature per message.
All other reportable anomalies occurred in vanishingly small All other reportable anomalies occurred in vanishingly small
percentages. percentages.
5. IANA Considerations 5. IANA Considerations
This memo contains no actions for IANA. This memo contains no actions for IANA.
6. Security Considerations 6. Security Considerations
This document is an implementation report and thus has no security This document is an implementation report and thus has no security
 End of changes. 13 change blocks. 
16 lines changed or deleted 28 lines changed or added

This html diff was produced by rfcdiff 1.40. The latest version is available from http://tools.ietf.org/tools/rfcdiff/