On Mon, Aug 16, 2021 at 03:38:01PM +0200, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
> On 16.08.21 21:11, Ken N wrote: > > Thank you for providing the details. > > That make things clear. > > > On 2021/8/16 6:26 下午, raf wrote: > > > DKIM signatures should include the entire body, and > > > some headers. The RFC only requires that the From: > > > header be included, but it lists some "common examples" > > > of headers that get included (Section 5.4.1): > > > > List-Id, List-Help, List-Unsubscribe, List-Subscribe, > > > List-Post, List-Owner, List-Archive > > Just note that you should not sign these headers unless you run mailing > list and set these headers > Otherwise, your messages to mailing list won't be DKIM safe. > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > "Where do you want to go to die?" [Microsoft] Yes. If you actually signed them when they weren't there, that would be "oversigning" and cause any later addition to render the signature invalid. But OpenDKIM does't sign a header just because it's in the list of headers to sign. They are in OpenDKIM's default list, but it only signs them (and only names them in the list of signed headers (h=) in the DKIM-Signature header) if they are actually present. So, when sending an email to a mailing list, they aren't signed because they're not there yet, but if the mailing list wants to DKIM-sign mails itself (using OpenDKIM), then they would be included in the signature. At least, that's what I think would happen. P.S. I just found the actual default list used by OpenDKIM in its source code, and it is all the "common examples" listed in the RFC as well as one extra: Resent-Sender Which makes sense with all the other Resent-* headers. cheers, raf
