I'm definitely going to stick with "nofws" rather than "simple"
canonicalization, as it does seem that "simple" is still problematic
with at least one other system -- gmail. I'm using exim 4.62 w/
libdomainkeys-0.68 on OS X.4. Using "nofws" I am not seeing any sign
of trouble.
Using "simple", I have successful validation when using Yahoo's
dktest@???, Sendmail's sa-test@???, and Skylist's
http://www.skylist.net/resources/authentication.php testing
services. Gmail still insists that it's bad, however!
I've read the "domainkeys experiment and c=simple always bad" thread
too, so I'm using a similar subject line here. At this point, since
libdomainkeys is current, and things are validating at prominent test
sites, I would blame GMail for validating the signature in a
different way or having MTA's that tamper with key headers. I have
submitted a report to them on that assumption.
I also applied the recent patch posted to exim-dev which adds the "h"
tag to to the signature to inform the receiver explicitly of which
headers were included in the hash. I think this is a great
addition. It did not affect the gmail validation trouble, however --
that seems specific to whitespace and/or header wrapping.
FWIW, I recommend that people use "nofws" only -- in fact that should
be the default, since "simple" is more fragile. Hope my couple
experiences here can help a few others with this configuration setting.
