Autor: Phil Pennock Data: Dla: Christian Balzer CC: exim-users, Jeremy Harris Temat: Re: [exim] DKIM signing with the i= (Identity) tag/header
On 2016-11-21 at 17:44 +0900, Christian Balzer wrote: > To wit, the record had "v=DKIM1\\\; k=rsa\\\; ..." in it, instead of a
> single backslash.
> The people responsible are being taken out to the backyard for creative
> lead catching courses.
>
> Again, I might have spotted this earlier if Exim itself wouldn't have been
> totally happy to ignore the extra garbage and concentrate on the actual
> yummy contents.
Are you sure that Exim ever saw this?
The MTA which _signs_ the message doesn't look in DNS to do so; it just
uses the keyfile (with private key) on disk, and configuration.
The MTA which _receives_ a message looks in DNS for the public keys.
Unless you've looked in the logs for MTAs for other domains receiving
email from yours, your own MTA's logs won't tell you much because they
never really look at that record in DNS.
If you have signs of Exim doing this, please file a bug-report: a
`v=DKIM1\` value (after de-escaping) should be ignored.
While there's no need to have Exim check DNS needlessly for outbound
messages, and stuff like selectors makes it hard to statically check, I
wonder if it's worth a `-d+dns` debug output on the SMTP transport when
signing with DKIM, to do the DNS lookup and check for a match (and WARN
LOUDLY if it doesn't match). That seems fair to me.