Re: [exim] ''multidomain'' DKIM: sender or from?

Pàgina inicial
Delete this message
Reply to this message
Autor: Mike Brudenell
Data:  
A: Exim Users
Assumpte: Re: [exim] ''multidomain'' DKIM: sender or from?
Hi, Heiko -

On 31 January 2017 at 16:44, Heiko Schlittermann <hs@???>
wrote:

> The RFC5322.From header may contain multiple addresses.
> If the From: field contains more than one address, the Sender: field
> *must* be present. So, I believe, you should check From: *and* Sender:
>


Hmm, I'm not convinced…

As I explained, I'm basing my choice of which DKIM key to sign with on the
use of DMARC to verify the messages at the receiving system. In the DMARC
RFC section 6.6.1 Extract Author Domain
<https://tools.ietf.org/html/rfc7489#section-6.6> it (in extracts) says:

The domain in the RFC5322.From field is extracted as the domain to be
evaluated by DMARC.

In order to be processed by DMARC, a message typically needs to contain
exactly one RFC5322.From domain (a single From: field with a single domain
in it). Not all messages meet this requirement, and handling of them is
outside of the scope of this document. Typical exceptions, and the way they
have been historically handled by DMARC participants, are as follows:



- Messages bearing a single RFC5322.From field containing multiple
addresses (and, thus, multiple domain names to be evaluated) are typically
rejected because the sorts of mail normally protected by DMARC do not use
this format;

Although admittedly the final paragraph of the section does go on to say:

The case of a syntactically valid multi-valued RFC5322.From field presents
a particular challenge. The process in this case is to apply the DMARC
check using each of those domains found in the RFC5322.From field as the
Author Domain and apply the most strict policy selected among the checks
that fail.


There is no mention anywhere of DMARC using the RFC5322.Sender address to
verify the authentication of the incoming message, so I'm not convinced as
to the benefit of selecting a DKIM key to sign with based on the domain of
that address.

Also, using local knowledge of our setup, the systems we use on campus are
*highly* unlikely to generate outgoing emails with multiple addresses in
the RFC5322.From so I'm comfortable with using its (single) address to
select the signing key.

If I wanted to cover all bases then based on the above I'd instead be
looking to generate a DKIM signature for each distinct domain of ours
present in the RFC5322.From addresses, not on the RFC5322.Sender address.

A question… Does Exim support generating multiple DKIM signatures from a
list of domains? The dkim_domain, dkim_selector, dkim_private_key etc
options only seem to take strings as their arguments, not lists of strings,
so I can't envision how this would be done?

Cheers,
Mike B-)

--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm