Re: [exim] DKIM d= field and corresponding key

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Slavko
Dátum:  
Címzett: exim-users
Tárgy: Re: [exim] DKIM d= field and corresponding key
Dňa 14. októbra 2021 22:22:34 UTC používateľ Andy Bennett via
Exim-users <exim-users@???> napísal:
>Is there any reason why the default settings are not optimal?
>
>...and how to choose between relaxed and strict modes?


I mean not optimal for me, of course.

By derault "the header names listed in RFC4871 will be used, whether or
not each header is present in the message" (from docs). This is not
always what one want, while still good choice as default. Some headers
have to be oversigned, to cannot be added later (without invalidating
signature), same will be oversigned, but only when they present in
message and some will be signed, but allow to be added later (again
without invalidating signature). The exim default nor provided macros
fulfill this, thus i chose rspamd's way...

One mostly want relaxed, as simple (beware, not strict) can leads to
unexpected results if message is "fixed" on the path, or to cite
someone other:

    The really simple takeaway is “use relaxed canonicalization”.


As relaxed is default, not need to care ;-)

The strict (aka dkim_strict) is not about signing, but about exim
behavior, when signing fails. But it is about internal fail, not about
not signing due empty domain, selector or key value. As my service is
not mission critical, i leave default. If something goes bad, i will
see it in DMARC reports.

Your needs/requirements can be different...

regards

--
Slavko
http://slavino.sk