[exim] domainkeys and c=simple always bad according to gmail

Top Page
Delete this message
Reply to this message
Author: Erik
Date:  
To: exim-users
Subject: [exim] domainkeys and c=simple always bad according to gmail
I'm definitely going to stick with "nofws" rather than "simple"
canonicalization, as it does seem that "simple" is still problematic
with at least one other system -- gmail. I'm using exim 4.62 w/
libdomainkeys-0.68 on OS X.4. Using "nofws" I am not seeing any sign
of trouble.

Using "simple", I have successful validation when using Yahoo's
dktest@???, Sendmail's sa-test@???, and Skylist's
http://www.skylist.net/resources/authentication.php testing
services. Gmail still insists that it's bad, however!

I've read the "domainkeys experiment and c=simple always bad" thread
too, so I'm using a similar subject line here. At this point, since
libdomainkeys is current, and things are validating at prominent test
sites, I would blame GMail for validating the signature in a
different way or having MTA's that tamper with key headers. I have
submitted a report to them on that assumption.

I also applied the recent patch posted to exim-dev which adds the "h"
tag to to the signature to inform the receiver explicitly of which
headers were included in the hash. I think this is a great
addition. It did not affect the gmail validation trouble, however --
that seems specific to whitespace and/or header wrapping.

FWIW, I recommend that people use "nofws" only -- in fact that should
be the default, since "simple" is more fragile. Hope my couple
experiences here can help a few others with this configuration setting.