At 08:54 24-03-2009, Mark Martinec wrote:
So here is my list. Each entry reflect an actual case of received mail.
Some of these may have been fixed meanwhile by the sending domain,
so I'm not claiming that all of them still apply for the named domain.
- signing a Return-Path header field (e.g.: yahoo-inc.com,
This generally occurs with a specific MTA. It is not a RFC compliant behavior.
- signature includes Message-ID in h tag, but there was no Message-ID in
the original message at the time of signing. When a receiving MX inserts
a missing header field, it breaks the signature.
That header field is a SHOULD. It is not optional unless your view
of implementation is restricted to "MUST". That can be fixed at the
message submission stage.
- missing or misplaced public key, e.g. signs as
- syntax errors in public key:
These two problems are generally caught during testing.
- sendmail reformats long lists of addresses in a To header field,
which is why our site is not signing a To header field;
Do that cause a verification failure? If so, can you send me a test
- some mailers add a space after a colon, e.g. rewriting a
"Subject:foo" into a "Subject: foo"
This is a MTA specific issue.
- system time on the signing host is few minutes into the future,
dkim-milter considers it an invalid signature
There is a ClockDrift setting to deal with that. People generally do
not notice this problem when they debug verification failures.
NOTE WELL: This list operates according to