David Woodhouse wrote:
> Which identity are you using for checking the signature? If a message
> has different addresses in From:, Sender: and Resent-From: headers,
> which of those will you use for the purpose of checking DK?
The underlying reference implementation does that. It uses the value of
the d= parameter from the DomainKey-Signature header.
draft-delany-domainkeys-base-01.txt says:
d = The domain name of the signing domain. This tag MUST be
present. In conjunction with the selector tag, this domain
forms the basis of the public-key query. The value in this tag
MUST match the domain of the sending email address or MUST be
one of the parent domains of the sending email address.
> If you're always using the From: header, that would explain your
> observation above.
I don't know if the reference lib uses headers as a fallback when d= is
unset or does not produce a useable key. I guess not.
My work in implementing this was mainly to "fit" the interface to the
lib into exim. This was not as easy as I anticipated. Exim makes slight
modifications to headers already while reading it from the network.
Also, exim allows alteration of the complete message with transport
filters which in turn pipe directly to the SMTP socket. I still managed
to make DK signing work even when you use a transport filter. Isn't too
pretty but seems to work OK.
/tom
