Here's mine: h=from:to:subject:mime-version:sender:list-unsubscribe:content-type:content-transfer-encoding:feedback-id;
I saw some recommendation not to sign "To" but I don't think it is a good practice (for the generic use case). If you don't sign the To then anyone can "replay" your message to another recipient and make it seem legit (pass DKIM). Stefano On Fri, 20 Jul 2018 at 07:21, Autumn Tyr-Salvia <tyrsal...@gmail.com> wrote: > > Hello Email Folks, > > I work at Agari, where I guide large organizations through the process of > getting their email to pass DMARC. I have lately had some customers with > greater-than-usual issues relating to aligned authenticated messages that get > forwarded, where the forwarding system is changing headers to the point that > they break DKIM, and thus the messages fail and get rejected. The messages > they're having trouble with are being sent from servers under their own > control (and not third party vendors), and I have a sneaking suspicion that > the issue is related to the specific headers they have chosen to sign. > > I know signing the From: field is required by spec, but I think everything > else is technically optional. For those of you who have been in the position > of choosing which headers to sign and which not to, would you be open to > sharing your reasoning with me? Any words of wisdom around headers they > really should or should not sign? > > Insight much appreciated! > > > Thanks, > > Autumn Tyr-Salvia > tyrsalvia@gmail > atyrsalvia@agari > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop -- Stefano Bagnara Apache James/jDKIM/jSPF VOXmail/Mosaico.io/VoidLabs _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
