On Thu, Apr 10, 2014 at 05:24:54PM -0600, LuKreme wrote:
> > No, the DKIM spec makes no allowance for signature delimiters. If
> > the body is modified beyond adding removing whitespace (with relaxed
> > canonicalization) the DKIM check fails.
>
> That seems like a bug in the implementation of DKIM.
No, it is a specification issue, and it was deliberate. To allow
footers, DKIM makes it possible to specify a byte count over which
the signature is computed, and then everything beyond that is
ignored, but this makes it possible to arbitrarily extend signed
mail with "fraudulent" content, so it is rarely used.
> >> the subject also don't matter in case of signed messages
> >> it is a HEADER and headers are added at every hop
> >
> > DKIM also signs message headers.
>
> Certain headers, not all of them.
The subject is generally signed, but indeed the set of signed
headers is entirely at the discretion of the signer. Headers
not covered by the signature may be freely modified. Clearly
Yahoo signs "Subject:".
--
Viktor.
