Arvel Hathcock wrote:
> Do you have any fields, besides Received, that you feel should/must
> NOT be signed?
I don't sign "Return-Path", "X" headers, or "Authentication-Results"
headers. "X" type headers are too unpredictable and are often stripped
(this is routine in my experience) by various software in the email
transmission path. IIRC "Return-Path" has a "strip it out" directive
written down somewhere. I've often found incoming messages collected
from store and forward services which contain a "Return-Path". Stripping
it breaks the signature so I don't sign that one if/when I encounter it
in a message I'm signing. "Authentication-Results" has a criteria in
the spec by which it too could potentially be stripped out from an
incoming message. So, to sign headers which are, in the spec that
defines them or through common practice, are likely to be sripped should
never be included in signatures IMO.
Ditto on these. Another I would not promote is "Reply-To:" for optional
list server reasons.
===
HLS
_______________________________________________
dkim-dev mailing list
dkim-dev(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-dev