Auteur: Graeme Fowler Datum: Aan: exim-users Onderwerp: Re: [exim] Strange problem with domainkeys
On Mon, 2007-12-10 at 11:42 +0100, Luca Bertoncello wrote: > Sure, but it signs always the "Received", too... And this IS altered, of
> course, by every MTA...
So that's a daft header to use for signing, then!
> Has someone a solution for this problem? Otherwise it has the same problem of
> SPF, but without a solutions... :(
Don't use "Received:" headers for the signing process, perhaps?
Otherwise, the signature could be invalidated by any number of
completely non-interactive (ie. not involving a human, like forwarding
which has to be chosen) means, like (for example) traversing a backup
MX. Or a transparent SMTP proxy, which some ISPs still use for outbound
mail. Or... or... well, any number of things.
Interestingly, the DKIM specification RFC4871 states:
The following header fields SHOULD NOT be included in the signature:
o Return-Path
o Received
o Comments, Keywords
OK, I know that DKIM isn't DomainKeys, but it does obsolete it (4871
obsoletes 4870) but that statement alone is worth many thousands of
other words.