Hi Daniel,
At 19:13 28-09-2009, Daniel Black wrote:
As you may know ([2] and others), DKIM has an incompatibility with email list
software message modification and ADSP verification (RFC5617).
The incompatibility is as follows:
1. An author emails to a mailing list.
2. The author's email infrastructure DKIM signs the email message and
publishes a ADSP dkim record saying 'I sign all messages for this domain'
3. The message is received by the email list
4. the email list software removes the DKIM-signature or, though message
modification, invalidates the signature
5. the email list subscriber receivers the email and attempts a
DKIM-signature
validation. If the signature did not exist it will validate ok.
6. the email list subscriber attempts to validated the DKIM-ADSP. The author
domain, taken from the From: address, has a DKIM-ADSP record saying "all"
(meaning I sign all messages) or "discard" (discard if the author domain
signature is invalid or missing).
7. email gets dropped due to ADSP
The are two or more cases:
(i) the mailing list manager mangles the message.
(ii) the DKIM signer makes some incorrect assumptions about how email works
The "incompatibility" you described is for the first case. I would
be cautious to mix DKIM with ADSP without a good understanding of
case (ii). If your users are not restricted from using email for
person-to-person communication, you should carefully evaluate whether
publishing an ADSP policy of "all" is sensible. I'll ignore
"discard" as it is obvious that the mail delivery is not viewed as
critical. BTW, there are valid use-cases for "discard".
The ways email list software can deal with this is (from [2]):
[snip]
3. remove DKIM-Signature conditionally - fails ADSP really badly
The ADSP lookup would still apply if the DKIM Signature cannot be verified.
What I propose as a solution is:
1. rewrite the From: address of the email to include the domain of the email
address.
and one or both of:
I haven't seen that being done much in practice. There are also a
lot of incorrect assumptions about the "From:" which you may have to deal with.
2. make "sender" or "reply-to" email headers contain the original sender
I suggest leaving the "reply-to:" alone or else you will create
problems outside the scope of DKIM.
Rational:
[snip]
I discarded the idea of adding a From address as sender-id verification will
fail if two (or more) from addresses though earlier versions do and DKIM
supports it.
Don't mix DKIM with sender-id.
Regards,
-sm
_______________________________________________
dkim-dev mailing list
dkim-dev(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-dev