[exim] Re: autoreply and DKIM signature ?

Pàgina inicial
Delete this message
Reply to this message
Autor: Chris Siebenmann
Data:  
A: Andreas Metzler
CC: exim-users, Chris Siebenmann
Assumpte: [exim] Re: autoreply and DKIM signature ?
> On 2024-08-14 Chris Siebenmann via Exim-users <exim-users@???> wrote:
> > > On 14/08/2024 15:27, Kurt Jaeger via Exim-users wrote:
> > > > So: user1@domain1 has an autoreply, and the autoreply
> > > > should be signed with dkim for domain1.
>
> > > I do not agree.
> > > The DKIM RFC says that anyone can sign a message.
>
> > As a practical matter, we[*] have observed GMail rejecting email
> > messages with claims that they are doing so because the DKIM signature
> > domain didn't match the From: domain. After observing this, we switched
> > to signing messages with a domain that matched the From: (and generally
> > not signing them if we had no such match, even though we could have
> > signed them as our main domain name).
> [...]
>
> Hello,
>
> Are you confident your observation is relevant here, in context with
> messages with empty envelope from?
>
> This sounds like gmail is doing the standard DMARC alignment-check
> requiring *either* envelope-from aligning with header-from together with
> SPF-success *or* a DKIM signature whose d= tag matches header-from.


We definitely saw GMail be unhappy with messages that had SPF aligned
envelope senders but a DKIM signature for a domain other than the
Mail-From domain. People here can (and do) generate outgoing email
messages for a number of our domains, with matching Mail-From and
envelope senders, and we used to DKIM sign all of them with our main
domain name. Since they're from one of our domains, the SPF records
aligned with the envelope sender (and the Mail-From) and passed SPF
checks, but the DKIM signature was for a different domain than the
Mail-From and GMail didn't seem to like that.

I don't know how GMail would have reacted to messages with an empty
envelope sender and a DKIM signature domain that didn't match the
Mail-From; we don't generate such emails. (At the time and now, bounces
and other automated emails that would have null senders went out with a
Mail-From of our primary domain, which is the domain we were DKIM
signing for.)

    - cks


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/