Re: [exim] DKIM signing with the i= (Identity) tag/header

Top Page
Delete this message
Reply to this message
Author: Christian Balzer
Date:  
To: exim-users
CC: Jeremy Harris
Subject: Re: [exim] DKIM signing with the i= (Identity) tag/header
On Tue, 22 Nov 2016 15:05:38 +0000 Jeremy Harris wrote:

> On 21/11/16 23:00, Phil Pennock wrote:
> > If you have signs of Exim doing this, please file a bug-report: a
> > `v=DKIM1\` value (after de-escaping) should be ignored.
>
> Actually, _all_ values for the 'v' tag are ignored for DKIM
> verification:
>

Is there something similar is place for "k="?
Because that also had 3 instead of 1 backslash...

>             case 'v':
>               /* This tag isn't evaluated because:
>                  - We only support version DKIM1.
>                  - Which is the default for this value (set below)
>                  - Other versions are currently not specified.      */
>               break;

>
> Phil: do you want strict enforcement here?


Can't speak for Phil, but incidentally Google themselves seem to be of a
similar mind when it comes to "v=".
---
dig 20120113._domainkey.google.com txt

20120113._domainkey.google.com. 60 IN   TXT     "k=rsa\; p=..."
---


So:
a) They leave out v= altogether in their records.
b) A single backslash in front of semicolons is where it's at.

Since Google and the various DKIM testers (including the plugin for
Thunderbird) seem to be utterly strict ("dkim1" does NOT equate "DKIM1") I
suppose Exim ought to be, too.

Despite my personal preference of having MTAs like Exim work with near
garbage if all relevant information is there to be found.
Because that only pans out if ALL players are doing the same thing.

Christian
-- 
Christian Balzer        Network/Systems Engineer                
chibi@???       Global OnLine Japan/Rakuten Communications
http://www.gol.com/