On Mon, 23 Oct 2023, Markus Reschke via Exim-users wrote:
> I'm also looking into optimizing my DKIM configuration, especially which
> headers to sign. Unfortunately, DMARC reports tell you only that the DKIM
> verification failed but not why. The default for dkim_sign_headers doesn't
> work well for me.
>
> On Mon, 23 Oct 2023, Andreas Metzler via Exim-users wrote:
>
>> I think it depends on which the header would be added. Some additions
>> should be allowed. Exim's default setting for dkim_sign_headers is
>> extremely conservative and imho does not make sense. I had tried to
>> discuss this in https://bugs.exim.org/show_bug.cgi?id=2394.
>>
>> I personally am using
>> +From:+Sender:+Reply-To:+Subject:+Date:+Message-ID:+To:+Cc:+MIME-Version:+Content-Type:+Content-Transfer-Encoding:+Content-ID:+Content-Description:=Resent-Date:=Resent-From:=Resent-Sender:=Resent-To:=Resent-Cc:=Resent-Message-ID:+In-Reply-To:+References:=List-Id:=List-Help:=List-Post
>> I am sure this set is not perfect and I have missed something, though.
>
> There some changes between the RFCs:
>
> RFC4871, Section 5.5., Recommended Signature Content
>
> The following header fields SHOULD be included in the signature, if
> they are present in the message being signed:
>
> o From (REQUIRED in all signatures)
> o Sender, Reply-To
> o Subject
> o Date, Message-ID
> o To, Cc
> o MIME-Version
> o Content-Type, Content-Transfer-Encoding, Content-ID, Content-
> Description
> o Resent-Date, Resent-From, Resent-Sender, Resent-To, Resent-Cc,
> Resent-Message-ID
> o In-Reply-To, References
> o List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post,
> List-Owner, List-Archive
>
>
> RFC6376, Section 5.4.1, Recommended Signature Content
>
> o From (REQUIRED; see Section 5.4)
> o Reply-To
> o Subject
> o Date
> o To, Cc
> o Resent-Date, Resent-From, Resent-To, Resent-Cc
> o In-Reply-To, References
> o List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post,
> List-Owner, List-Archive
>
> Wouldn't it make sense to update the default for dkim_sign_headers
> accordingly? Anyway, I'll try RFC6376's recommended headers and hope it will
> decrease my DKIM verification issues.
I think one of the issues (the one IanZ reported) is that RFC4871
says that
The following header fields SHOULD be included in the signature,
*** if they are present in the message being signed: ***
but Exim signs the List-* headers even if the do not exist.
RFC6376 drops those words, which could be taken to mean that Exim is
currently correct. However signing those headers that are not present
ensures that messages that go through many mailing lists fail that
signature check.
I believe that the default for dkim_sign_headers should have '=' at least for each of the List-* headers,
as Andreas has done.
--
Andrew C. Aitchison Kendal, UK
andrew@???
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
