Claus Assmann wrote:
>>>You seem to have missed the fact that SPF breaks existing working
>>>legitimate setups.
>
>>DomainKeys also does. If I read the proposal right, a server isn't
>>allowed to add any header after the DomainKeys-Signature: header.
>
>
> Read the draft again :-)
>
> There's some ordering in the headers, so if your MTA adds the new
> stuff before the signature, you're ok. If DK would break forwarding
> it would be useless.
Read the next paragraph of my mail.
<quote>
Well, exim does. Imagine a forwarding service, with spam-scanning, which
adds headers. Boom, DomainKeys will fail to verify the mail.
</quote>
Exim DOES add extra headers (not Received: and some others) on the end
of previous headers. So all exim-forwarders will currently break the
signature, when they add headers.
IMHO the signature should only be added to some headers, things that are
of interest for an enduser. At least X-* should be ignored. I know, the
draft already talks about this, so maybe they'll fix it.