Re: [exim] DKIM d= field and corresponding key

Top Page

Reply to this message
Author: Slavko (tblt)
Date:  
To: exim-users
Subject: Re: [exim] DKIM d= field and corresponding key
Dňa 14. októbra 2021 22:22:34 UTC používateľ Andy Bennett via Exim-users <exim-users@???> napísal:
>Is there any reason why the default settings are not optimal?
>
>...and how to choose between relaxed and strict modes?


I mean not optimal for me, of course.

By derault "the header names listed in RFC4871 will be used, whether or not each header is present in the message" (from docs). This is not always what one want, while still good choice as default. Some headers have to be oversigned, to cannot be added later (without invalidating signature), same will be oversigned, but only when they present in message and some will be signed, but allow to be added later (again without invalidating signature). The exim default nor provided macros fulfill this, thus i chose rspamd's way...

One mostly want relaxed, as simple (beware, not strict) can leads to unexpected results if message is "fixed" on the path, or to cite someone other:

    The really simple takeaway is “use relaxed canonicalization”.


As relaxed is default, not need to care ;-)

The strict (aka dkim_strict) is not about signing, but about exim behavior, when signing fails. But it is about internal fail, not about not signing due empty domain, selector or key value. As my service is not mission critical, i leave default. If something goes bad, i will see it in DMARC reports.

Your needs/requirements can be different...

regards
--
Slavko