On Thu, Aug 12, 2021 at 10:55:37AM +0200, Simon Josefsson via Exim-users wrote:
> Hi! I think I have ran into this problem:
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939808
>
> My outgoing e-mails (like this one) is DKIM signed by Exim, and the
> signature covers (on sending, the non-existing) List-Id header, which a
> mailing list software inserts, breaking the DKIM signature for
> recipients. I'm getting some DMARC reports about failures due to
> invalid signatures, and these usually comes when I post something to a
> mailing list. Is my analysis correct?
It's a realistic scenario. But is it your case or not - depends on details.
> What do you think about the patch posted in the link above? See below.
Seems good for me.
The built-in value could be changed with dkim_sign_headers, but
this patch gives much more reasonable default, IMHO.
However, a wish to keep original DKIM signature is almost pointless,
because there are too many places where it may be broken.
Forwarder (in general) should change contents of the "From:" header
if sender's domain has DMARC policy. Many mail lists do not perform
such manipulations, because DMARC is a relatively new technology.
--
Eugene Berdnikov
