On 28/04/2019 16:42, Andrew C Aitchison via Exim-dev wrote:
> Do the DKIM exim experts subscribe to the mailop list ?
>
> There is an ongoing discussion on the mailop@???
> about a snafu with DKIM which implicates exim and google.
>
> The original report of the snafu (google rejections caused the list to
> auto-unsubscribe over a hundred subscribers of the list):
> https://chilli.nosignal.org/cgi-bin/mailman/private/mailop/2019-April/013974.html
>
>
> A description of the sending system that caused the issue:
> https://chilli.nosignal.org/cgi-bin/mailman/private/mailop/2019-April/013991.html
>
>
> A suggestion for the exim developers:
> https://chilli.nosignal.org/cgi-bin/mailman/private/mailop/2019-April/013994.html
>
>
> Basically a user with a stock debian exim setup (version number yet given)
> sent a message to the list with some signed non-existent headers; when the
> list passed the message on it generated these headers and google failed
> on the signature discrepancy.
Most mailinglists, including mailop, append to the body of submissions
distributed as non-digests, so DKIM signatures will become invalid due
to that (assuming the mostly-deprecated DKIM bodylength feature is not
used).
Trying to game the adding of list headers would be applying lipstick to
a pig.
The snafu is Google's fault for ignoring the part of the DKIM standard
that says "a lack of verifiable signature should not be grounds for
rejection" (my paraphrase, RFC 6376 Section 6.3), and DKIM's fault for
being an enabler of breaking traditional uses of email (mailinglists,
in this case).
--
Cheers,
Jeremy