Re: [exim] DKIM signature in outgoing emails

Inizio della pagina
Delete this message
Reply to this message
Autore: Murray S. Kucherawy
Data:  
To: exim-users@exim.org
Oggetto: Re: [exim] DKIM signature in outgoing emails
> -----Original Message-----
> From: exim-users-bounces+msk=cloudmark.com@??? [mailto:exim-users-bounces+msk=cloudmark.com@exim.org] On Behalf Of Gót András
> Sent: Saturday, December 17, 2011 12:58 AM
> To: exim-users@???
> Subject: Re: [exim] DKIM signature in outgoing emails
>
> The dkimstatus plugin in roundcube gives a checkmark when identity
> included and otherwise it gives an info message like this: "The message
> was signed by a 3rd party". Actually gmail doesn't include the identity
> value and facebook includes it. Of course I could modify the roundcube
> plugin, but it would be nice if the i= could be included with exim.
>
> This is in the RFC (http://www.ietf.org/rfc/rfc6376.txt):
>
> "i= The Agent or User Identifier (AUID) on behalf of which the SDID is
> taking responsibility (dkim-quoted-printable; OPTIONAL, default is an
> empty local-part followed by an "@" followed by the domain from the
> "d=" tag)."


Yes, I'm familiar with it. :-) (Hint: Look at the author list.)

As a receiver or verifier, I have no reason to believe what anyone puts in "i=", which is why the DKIM Working Group at IETF shifted its focus to "d=" in RFC5672. The value in that field might match the From: field and it might not. It could be a totally random value. It may or may not be the same from one message to the next even if the author is the same in both. And any match or mismatch doesn't mean the DKIM signature is in any way invalid.

Basically, you have no guarantees about how the signer is using it. That's why I'm wondering who actually cares whether that field is there and what's in it, and what the rationale for doing so might be.

It works if you know how the signer is using it and you trust the signer to be consistent about doing so. But in general, and certainly at a protocol level, you don't know that a priori.

Thus, in OpenDKIM we provide hooks for the verifier to get the "i=" value and do something with it, but the software itself has no requirements and makes no assertions about what might be in there. Any filtering decisions made based on the presence, absence, or content of "i=" is left to the user.

-MSK