John Levine wrote:
Any way to tell someone its signature is used in third party signing?
Remember that invalid signatures are ignored, and signers are already
aware of all the valid signatures they've applied.
Well, according what I seen by the GMAIL verifier, it is discarding
mail with invalid signatures.
I confirmed this 6 times last night with one message recent 6 times.
Four of the six were slightly modify each time to force an integrity
error. These were accepted by GMAIL's SMTP server but silently
discarded (never posted). The other two were the same original DKIM
signed message but with the DKIM-Signature header cut out. The two
messages was accepted and immediately posted.
As long as the original DKIM-Signature remained, the message was not
delivered.
I guess at least 1 big system is not listening to the Invalid
Signature Ignorance DKIM policy.
Either they are right and saved the day or they were wrong and bad
mail was unexpectedly lost. Take the DKIM-Signature out and mail
is delivered.
Again, all I did was essentially replay a valid DKIM signed message
(according the original AR that indicated a DKIM pass) by slightly
modifying its content and/or headers. Gmail accepted the mail, but it
was not delivered. I took out the DKIM-Signature and poof! It made it
thru. That indicates they are not following this ignore invalid
signature rule.
--
Sincerely
Hector Santos
http://www.santronics.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html