Kevin N.: > > Milters decide themselves where they want to insert headers, by index. > > Depending on the order in which milters run, insertion done by one > > milter can shift the insertion point of the next milter. > > > > The sendmail milter API that milters use to insert headers has a bit of > > an oddity when using index 0 and 1 to insert: Index 0 inserts *before* > > the MTA’s ‘Received’ header, index 1 *after*. When all milters use > > index 1, headers will be inserted in (reverse) order after the > > ‘Received’ header. However, when just one milter uses index 0, all > > subsequent milters using index 1 also insert *before* the MTA’s > > ‘Received’ header. (For details see doc for ‘smfi_insheader’.) This is > > what I would guess is happening in your case. > > I definitely need to take a closer look at the 'smfi_insheader' docs.
I forgot the main bit of my explanation. So: If your spf-milter inserts at index 0 and your dkim-milter inserts at index 1, then the header order behaviour that you showed is exactly as expected. > > By the way, RFC 8601 says that ‘Authentication-Results’ headers should > > be inserted *before* the MTA’s ‘Received’ header. > > I totally missed this part while I was skimming through the RFC. > > So, just to make sure that I understand this correctly, the order of the > "Authentication-Results" headers do matter. Correct? RFC 8601 seems to give significance to the relative ordering of ‘Authentication-Results’ and ‘Received’ headers. > > If it is OpenDKIM you’re talking about, you may be interested in this > > recent change > > request to fix this and make it consistent: > > > > https://github.com/trusteddomainproject/OpenDKIM/pull/126 > > Yes, I was talking about OpenDKIM. I forgot to mention that in my initial > mail. > > I'll take a look at the pull request. Thanks for pointing this out :) > > > > Personally I prefer to do SPF before DKIM. Because SPF looks at envelope > > information, which comes before the data, it seems more logical to check > > that first. > > This actually makes a lot of sense now that you mentioned it :) . > But in this case, can there be a situation in which the > "Authentication-Results" header added by the SPF check could mess up the > DKIM signature check? > > From what I read, in certain situations, milters running before the milter > that does the DKIM check, could add headers that would mess up the DKIM > signature check. > > Is it safe to assume that the "Authentication-Results" header added by the > SPF check is *not* such a case? Or am I misunderstanding this completely :) > ? I hadn’t thought about this in detail but checked quickly. RFC 6376, sections 5.4.1 and 5.4.2 makes it clear that this is not a problem. Cheers, -- David
