Hi!
I'm also looking into optimizing my DKIM configuration, especially which
headers to sign. Unfortunately, DMARC reports tell you only that the DKIM
verification failed but not why. The default for dkim_sign_headers doesn't
work well for me.
On Mon, 23 Oct 2023, Andreas Metzler via Exim-users wrote:
> I think it depends on which the header would be added. Some additions
> should be allowed. Exim's default setting for dkim_sign_headers is
> extremely conservative and imho does not make sense. I had tried to
> discuss this in https://bugs.exim.org/show_bug.cgi?id=2394.
>
> I personally am using +From:+Sender:+Reply-To:+Subject:+Date:+Message-ID:+To:+Cc:+MIME-Version:+Content-Type:+Content-Transfer-Encoding:+Content-ID:+Content-Description:=Resent-Date:=Resent-From:=Resent-Sender:=Resent-To:=Resent-Cc:=Resent-Message-ID:+In-Reply-To:+References:=List-Id:=List-Help:=List-Post
> I am sure this set is not perfect and I have missed something, though.
There some changes between the RFCs:
RFC4871, Section 5.5., Recommended Signature Content
The following header fields SHOULD be included in the signature, if
they are present in the message being signed:
o From (REQUIRED in all signatures)
o Sender, Reply-To
o Subject
o Date, Message-ID
o To, Cc
o MIME-Version
o Content-Type, Content-Transfer-Encoding, Content-ID, Content-
Description
o Resent-Date, Resent-From, Resent-Sender, Resent-To, Resent-Cc,
Resent-Message-ID
o In-Reply-To, References
o List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post,
List-Owner, List-Archive
RFC6376, Section 5.4.1, Recommended Signature Content
o From (REQUIRED; see Section 5.4)
o Reply-To
o Subject
o Date
o To, Cc
o Resent-Date, Resent-From, Resent-To, Resent-Cc
o In-Reply-To, References
o List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post,
List-Owner, List-Archive
Wouldn't it make sense to update the default for dkim_sign_headers
accordingly? Anyway, I'll try RFC6376's recommended headers and hope it
will decrease my DKIM verification issues.
ciao
Markus
--
/ Markus Reschke \
\ madires@??? /
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
