[exim] Re: List headers [Was: DKIM does not work]

Mon, 23 Oct 2023 05:37:55 -0700 

Hi!
I'm also looking into optimizing my DKIM configuration, especially which headers to sign. Unfortunately, DMARC reports tell you only that the DKIM verification failed but not why. The default for dkim_sign_headers doesn't work well for me. 

On Mon, 23 Oct 2023, Andreas Metzler via Exim-users wrote:


I think it depends on which the header would be added. Some additions
should be allowed. Exim's default setting for dkim_sign_headers is
extremely conservative and imho does not make sense. I had tried to
discuss this in https://bugs.exim.org/show_bug.cgi?id=2394.

I personally am using 
+From:+Sender:+Reply-To:+Subject:+Date:+Message-ID:+To:+Cc:+MIME-Version:+Content-Type:+Content-Transfer-Encoding:+Content-ID:+Content-Description:=Resent-Date:=Resent-From:=Resent-Sender:=Resent-To:=Resent-Cc:=Resent-Message-ID:+In-Reply-To:+References:=List-Id:=List-Help:=List-Post
I am sure this set is not perfect and I have missed something, though.


There some changes between the RFCs:

RFC4871, Section 5.5., Recommended Signature Content

   The following header fields SHOULD be included in the signature, if
   they are present in the message being signed:

   o  From (REQUIRED in all signatures)
   o  Sender, Reply-To
   o  Subject
   o  Date, Message-ID
   o  To, Cc
   o  MIME-Version
   o  Content-Type, Content-Transfer-Encoding, Content-ID, Content-
      Description
   o  Resent-Date, Resent-From, Resent-Sender, Resent-To, Resent-Cc,
      Resent-Message-ID
   o  In-Reply-To, References
   o  List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post,
      List-Owner, List-Archive


RFC6376, Section 5.4.1, Recommended Signature Content

   o  From (REQUIRED; see Section 5.4)
   o  Reply-To
   o  Subject
   o  Date
   o  To, Cc
   o  Resent-Date, Resent-From, Resent-To, Resent-Cc
   o  In-Reply-To, References
   o  List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post,
      List-Owner, List-Archive


Wouldn't it make sense to update the default for dkim_sign_headers 
accordingly? Anyway, I'll try RFC6376's recommended headers and hope it 
will decrease my DKIM verification issues.


ciao
 Markus
--
/ Markus Reschke              \
\ madi...@theca-tabellaria.de /


--
## subscription configuration (requires account):
##   https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
##   exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/























					Reply via email to