Re: [exim] ''multidomain'' DKIM: sender or from?

Top Page
Delete this message
Reply to this message
Author: Mike Brudenell
Date:  
To: Exim Users
CC: Marco Gaiarin
Subject: Re: [exim] ''multidomain'' DKIM: sender or from?
Hi, Marco -

I faced the exact same question as you when setting up DKIM signing here.
You have to think it through very carefully and logically…

Firstly, the DKIM signature you generate could actually use any
private-public key pair — that is, any domain name that you have the key
pair for. DKIM alone does not tie the domain used in the signature to the
address in either the RFC5321.MailFrom (envelope) or RFC5322.From (header).
See RFC6376 section 5.2 <https://tools.ietf.org/html/rfc6376#section-5.2>,
where it says

This specification does not define the basis by which a Signer should
choose which private key and selector information to use.


Linking the domain used in the DKIM-Signature to the sender's address is
achieved with DMARC, which is something you might also want to look at in
the future. Based on that the best practice would be to create your DKIM
signature based on the domain of the RFC5322.From header and *not* that of
the RFC5321.MailFrom.

This is because DMARC enhances the SPF and DKIM tests as follows:

- The basic SPF test on the domain of the RFC5321.MailFrom must pass
*and* the domain must *align with* the domain of the RFC5322.From
address;
- The basic DKIM test on the domain given as the "d=" attribute of the
DKIM-Signature must pass *and* the domain must align with the domain of
the RFC5322.From address.

In essence DMARC ties the two domains SPF and DKIM uses — that of the
RFC5321.MailFrom and the DKIM-Signature header respectively — to the
recipient-visible address in the RFC5322.From header.

Hence it would be a very good idea to select the domain for the DKIM
signature you generate based on the RFC5322.From address.

Cheers,
Mike B-)

On 24 January 2017 at 13:34, Marco Gaiarin <gaio@???> wrote:

>
> I'm testing DKIM implementation in my exim server, and looking out google
> point me here:
>
>         https://debian-administration.org/article/718/DKIM-signing_o
> utgoing_mail_with_exim4

>
> for multidomain setup (i'm interested in) the author proposed:
>
>         DKIM_DOMAIN = ${lc:${domain:$h_from:}}

>
> but i think it is better to use the sender, eg do:
>
>         DKIM_DOMAIN = ${lc:${domain:$sender_address}}

>
> or not? reading https://www.ietf.org/rfc/rfc4871.txt, point 5.5, seems
> that
> From: is a signed header while the sender (Return-Path:) not.
>
>
> I'm a bit confused... thanks...
>
> --
>   ...il ponte di Messina unirà «non due coste ma due cosche».
>                                                         (Niki Vendola)

>
>
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/





--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811 <01904%20323811>

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm