Maybe it's not a coincidence, but Steve Atkins just made a post about that: https://wordtothewise.com/2018/07/minimal-dmarc/
I would tend to say that the more headers are included in the signature, the "safer" it gets (any change would be suspicious), but this is challengeable and it makes sense to look a bit closer at the detail of each header individually. Some headers might be required to be added, such as X-CSA-Complaints and List-Unsubscribe, for CSA members: https://certified-senders.org/wp-content/uploads/2017/07/CSA_Admission_Criteria.pdf. -- Benjamin From: mailop <mailop-boun...@mailop.org> On Behalf Of Autumn Tyr-Salvia Sent: Friday, 20 July, 2018 07:18 To: Mailop <mailop@mailop.org> Subject: [mailop] DKIM headers - which do you sign and why? Hello Email Folks, I work at Agari, where I guide large organizations through the process of getting their email to pass DMARC. I have lately had some customers with greater-than-usual issues relating to aligned authenticated messages that get forwarded, where the forwarding system is changing headers to the point that they break DKIM, and thus the messages fail and get rejected. The messages they're having trouble with are being sent from servers under their own control (and not third party vendors), and I have a sneaking suspicion that the issue is related to the specific headers they have chosen to sign. I know signing the From: field is required by spec, but I think everything else is technically optional. For those of you who have been in the position of choosing which headers to sign and which not to, would you be open to sharing your reasoning with me? Any words of wisdom around headers they really should or should not sign? Insight much appreciated! Thanks, Autumn Tyr-Salvia tyrsalvia@gmail atyrsalvia@agari
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
