Author: Tom Kistner Date: To: David Woodhouse CC: exim-users, exiscanusers Subject: Re: [exim] Exim Snapshot - DomainKeys support - Testers wanted
David Woodhouse wrote:
> Hmmm. What about the Resent-From: address? That could well be newer.
[..]
> That's why I'm asking. DK should be usable with lists if done sensibly.
[..]
> Obviosuly I'd have to be insane to reject your mail because the
> 'd=duncanthrax.net' signature is bad after it came through the mailing
> list. But the list adds its own Sender: header -- hence my question
> about what precisely is meant by the 'sending email address'. What
> happens when we see a message with two DomainKey-Signature: headers?
In principle, you are right. The draft says:
A signer MUST NOT sign an email that already contains a
"DomainKey-Signature:" header unless a "Sender:" header has been added
that was not included in the original signature. The most obvious case
where this occurs is with mailing lists.
And:
A signer SHOULD NOT remove an existing "DomainKey-Signature:" header.
So if you get two or more DomainKey-Signature: headers, the algorithm
must use the outermost one (or the one relating to the outermost
"Sender:" header).
What I meant was that the majority of deployed mailing list systems will
be slow in either being DK-aware (add headers on top, no body mangling)
or deploying DK themselves. When list systems re-sign mail, they should
obviously only do so if the original message had a good DK signature (so
they "forward" the good result).
