On Fri 11/Oct/2024 14:03:40 +0200 Gellner, Oliver via mailop wrote:
On 11.10.2024 at 00:08 Mark Delany via mailop <mailop@mailop.org> wrote:
Given that you have to allow for a queue time of multiple days, x= seems of
marginal value
- leastwise as an anti-replay mechanism.
If the MTA allows it, it can update the timestamp and expiration time in the
DKIM signature before each delivery attempt. The receiving system should
validate DMARC at the edge, ie on the very next hop after the signature has
been applied, so the timeframe during which the DKIM signature needs to be
valid can be kept very short.
I don't think the best setup is to sign at the bastion hosts. One could sign
at the MSA. In that case, delays caused by external hosts greylisting or
421ing for any reason have to be accounted for.
Best
Ale
--
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
