ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] DKIM/ADSP edge case writeup at CircleID

2009-03-24 18:55:07
At 08:54 24-03-2009, Mark Martinec wrote:
So here is my list. Each entry reflect an actual case of received mail.
Some of these may have been fixed meanwhile by the sending domain,
so I'm not claiming that all of them still apply for the named domain.

[snip]

- signing a Return-Path header field (e.g.: yahoo-inc.com, 
avaaz(_at_)avaaz(_dot_)org);

This generally occurs with a specific MTA.  It is not a RFC compliant behavior.

- signature includes Message-ID in h tag, but there was no Message-ID in
  the original message at the time of signing. When a receiving MX inserts
  a missing header field, it breaks the signature.

That header field is a SHOULD.  It is not optional unless your view 
of implementation is restricted to "MUST".  That can be fixed at the 
message submission stage.

- missing or misplaced public key, e.g. signs as

[snip]

- syntax errors in public key:

These two problems are generally caught during testing.

- sendmail reformats long lists of addresses in a To header field,
  which is why our site is not signing a To header field;

Do that cause a verification failure?  If so, can you send me a test 
case off-list?

- some mailers add a space after a colon, e.g. rewriting a
  "Subject:foo" into a "Subject: foo"

This is a MTA specific issue.

- system time on the signing host is few minutes into the future,
  dkim-milter considers it an invalid signature

There is a ClockDrift setting to deal with that.  People generally do 
not notice this problem when they debug verification failures.

Regards,
-sm 

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html