Erik Schorr wrote:
> Tom, Good to know. Now I wonder if the DomainKeys specification honors
> this if the envelope sender and the From: header don't match, and if so,
> which _should_ the dk domain match?
The domain in the "From:" header, or the "Resent-From:" header. The idea
was to "protect" the domain that end users can see in their User Agents.
As you just found out, this can be problematic.
DKIM does away with that, there you can sign with any domain you like,
it does not try to correlate other header content. So DKIM is more
suited for MTA->MTA verification, instead of MTA->MTA->MUA verification
like DK is.
/tom
> Tom Kistner wrote:
>> Erik Schorr wrote:
>>
>>> It's very odd that we can set the selector to use for signing, but
>>> not override the domain reported in the domainkey-signature header.
>>>
>>> Is there a workaround for this? Perhaps a feature being worked on?
>>> Am I on crack and just trying to break a rule in the DK spec?
>>
>> You can set the domain to sign with using the dk_domain option of the
>> transport. See bottom of this page:
>>
>> http://wiki.exim.org/DomainKeys
>>
>> /tom
>>
>>
