Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: users

DKIM signature in outgoing emails

 

 

exim users RSS feed   Index | Next | Previous | View Threaded


andrej at antiszoc

Dec 14, 2011, 2:25 AM

Post #1 of 5 (612 views)
Permalink
DKIM signature in outgoing emails

Dear List,

Today I've found out that there's no identity (i=) in the DKIM
signature. I've googled a lot and cannot find any info relating to this.
Can anyone help to include an identity field in the DKIM signature?

Regards,
Andras

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


msk at cloudmark

Dec 16, 2011, 3:04 PM

Post #2 of 5 (597 views)
Permalink
Re: DKIM signature in outgoing emails [In reply to]

> -----Original Message-----
> From: exim-users-bounces+msk=cloudmark.com [at] exim [mailto:exim-users-bounces+msk=cloudmark.com [at] exim] On Behalf Of andrej [at] antiszoc
> Sent: Wednesday, December 14, 2011 2:26 AM
> To: exim-users [at] exim
> Subject: [exim] DKIM signature in outgoing emails
>
> Dear List,
>
> Today I've found out that there's no identity (i=) in the DKIM
> signature. I've googled a lot and cannot find any info relating to this.
> Can anyone help to include an identity field in the DKIM signature?

I can't answer this in the exim context, but I'm curious: Are there receivers out there you know of that care what's in the "i=" value?

-MSK

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


andrej at antiszoc

Dec 17, 2011, 12:58 AM

Post #3 of 5 (599 views)
Permalink
Re: DKIM signature in outgoing emails [In reply to]

On Fri, 16 Dec 2011 15:04:58 -0800, Murray S. Kucherawy wrote:
>> -----Original Message-----
>> From: exim-users-bounces+msk=cloudmark.com [at] exim
>> [mailto:exim-users-bounces+msk=cloudmark.com [at] exim] On Behalf Of
>> andrej [at] antiszoc
>> Sent: Wednesday, December 14, 2011 2:26 AM
>> To: exim-users [at] exim
>> Subject: [exim] DKIM signature in outgoing emails
>>
>> Dear List,
>>
>> Today I've found out that there's no identity (i=) in the DKIM
>> signature. I've googled a lot and cannot find any info relating to
>> this.
>> Can anyone help to include an identity field in the DKIM signature?
>
> I can't answer this in the exim context, but I'm curious: Are there
> receivers out there you know of that care what's in the "i=" value?
>
> -MSK

The dkimstatus plugin in roundcube gives a checkmark when identity
included and otherwise it gives an info message like this: "The message
was signed by a 3rd party". Actually gmail doesn't include the identity
value and facebook includes it. Of course I could modify the roundcube
plugin, but it would be nice if the i= could be included with exim.

This is in the RFC (http://www.ietf.org/rfc/rfc6376.txt):

"i= The Agent or User Identifier (AUID) on behalf of which the SDID is
taking responsibility (dkim-quoted-printable; OPTIONAL, default is
an empty local-part followed by an "@" followed by the domain from
the "d=" tag)."

Andras

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


msk at cloudmark

Dec 17, 2011, 8:52 PM

Post #4 of 5 (593 views)
Permalink
Re: DKIM signature in outgoing emails [In reply to]

> -----Original Message-----
> From: exim-users-bounces+msk=cloudmark.com [at] exim [mailto:exim-users-bounces+msk=cloudmark.com [at] exim] On Behalf Of Gt Andrs
> Sent: Saturday, December 17, 2011 12:58 AM
> To: exim-users [at] exim
> Subject: Re: [exim] DKIM signature in outgoing emails
>
> The dkimstatus plugin in roundcube gives a checkmark when identity
> included and otherwise it gives an info message like this: "The message
> was signed by a 3rd party". Actually gmail doesn't include the identity
> value and facebook includes it. Of course I could modify the roundcube
> plugin, but it would be nice if the i= could be included with exim.
>
> This is in the RFC (http://www.ietf.org/rfc/rfc6376.txt):
>
> "i= The Agent or User Identifier (AUID) on behalf of which the SDID is
> taking responsibility (dkim-quoted-printable; OPTIONAL, default is an
> empty local-part followed by an "@" followed by the domain from the
> "d=" tag)."

Yes, I'm familiar with it. :-) (Hint: Look at the author list.)

As a receiver or verifier, I have no reason to believe what anyone puts in "i=", which is why the DKIM Working Group at IETF shifted its focus to "d=" in RFC5672. The value in that field might match the From: field and it might not. It could be a totally random value. It may or may not be the same from one message to the next even if the author is the same in both. And any match or mismatch doesn't mean the DKIM signature is in any way invalid.

Basically, you have no guarantees about how the signer is using it. That's why I'm wondering who actually cares whether that field is there and what's in it, and what the rationale for doing so might be.

It works if you know how the signer is using it and you trust the signer to be consistent about doing so. But in general, and certainly at a protocol level, you don't know that a priori.

Thus, in OpenDKIM we provide hooks for the verifier to get the "i=" value and do something with it, but the software itself has no requirements and makes no assertions about what might be in there. Any filtering decisions made based on the presence, absence, or content of "i=" is left to the user.

-MSK


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


exim-users at spodhuis

Dec 17, 2011, 11:06 PM

Post #5 of 5 (596 views)
Permalink
Re: DKIM signature in outgoing emails [In reply to]

On 2011-12-17 at 09:58 +0100, Gót András wrote:
> The dkimstatus plugin in roundcube gives a checkmark when identity
> included and otherwise it gives an info message like this: "The message
> was signed by a 3rd party". Actually gmail doesn't include the identity
> value and facebook includes it. Of course I could modify the roundcube
> plugin, but it would be nice if the i= could be included with exim.

Gmail includes the "signed-by" pseudo-header in the stuff you see at the
top of the message; with the recent redesign, they've buried it :( but
the "Show details" drop-down by the recipient shows it again.

This will also update the "mailed-by" pseudo-header, which AIUI has a
number of potential sources, but valid DKIM takes precedence. I think.

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.