Mike Cardwell wrote:
>>> Just trying to get my head around how to do dkim verification. When
>>> doing the ${lookup dkim{}} are you supposed to use the domain from the
>>> From: header? Ie, would this be sane:
>>>
>>>
>>> deny set acl_m1 = ${lookup dkim{${lc:${domain:$h_from:}}}}
>>> condition = ${if eq{$acl_m1}{bad}}
>>> message = Bad DKIM signature
>>>
>>> I'm not asking whether or not it is sane to block an email with a bad
>>> signature, I'm asking whether or not that method of looking up the
>>> validity of a signature is correct?
>>>
>>> On the example at http://wiki.exim.org/DKIM it says to use "${lookup
>>> dkim{domain.example}}" but doesn't explain what you're supposed to
>>> replace domain.example with.
>> I'm using the following:
>>
>> warn message = DomainKey-Status: ${lookup dkim{$sender_address_domain}}
>> add_header = X-Exim-DKIM-Status: ${lookup dkim{$sender_address_domain}}
>>
>> It's not perfect, in fact seems to add an extra header like this:
>>
>> X-Exim-DKIM-Status: unsigned
>> DomainKey-Status: unsigned
>>
>> But it answers your question about what to use as parameter.
>
> Hmmm. I think I misunderstand something basic about DKIM then as I
> thought the envelope sender didn't come into it.
I've been reading over
http://dkim.org/specs/rfc4871-dkimbase.html#rfc.section.1
From what I understand, you verify using the domain in the "d" value in
the DKIM-Signature header. So I could send an email with my domain in
the envelope sender, with a valid DKIM signature under my own domain,
but then with "Paypal <support@???>" in the From header, and it
would validate fine. What is the point of DKIM again?
Can anyone explain this to me, before I go hunting for dkim specific
mailing lists...?
Mike
