Re: dovecot mailing list (this mailing list), DKIM, SPF and DMARC

Fri, 21 Oct 2022 15:01:53 -0700 

Trojitá, a fast Qt IMAP e-mail client
http://www.trojita.flaska.net/

I also use
http://opendkim.org/ http://www.trusteddomain.org/opendmarc/ 

as milters on Postfix
Active development, I'm sure they could all use some help, or forks for alternatives, I don't know, I'm not involved in development per se, just a user, and I have to get off the property of any of these places with my code before anything happens. All that Finnish osalliyhdistys and by the time a Swede gets online all hell breaks loose./ 

On Friday, October 21, 2022 1:50:43 PM AKDT, hi@zakaria.website wrote:

On 2022-10-11 14:05, Benny Pedersen wrote:

hi@zakaria.website skrev den 2022-10-11 13:42: ...


Indeed, it's because you set the following headers in dkim signing headers:-

from : subject :
    date : to : message-id
Although not sure why you've added some space, as per standards I think only colon separated list its the compliant format like the following:- 

from:subject:date:to:message-id
Anyhow this is my final update, the previous headers set which I included wasnt perfect as cc header was causing a trouble, given it can fail at some point e.g. when replying more than one time to the same recipient through a mailing list, and mind me OX and iRedMail, I had to check your signing headers set, hopefully you are ok for me to present it here as the optimal one to avoid DKIM failures:- 

OX:-
Date:From:To:In-Reply-To:References:Subject:From

IRM:-
x-mailer:message-id:in-reply-to:to:references:date:subject
    :mime-version:content-transfer-encoding:content-type:from
iRedMail seems to be the best headers set given it includes X-Mailer header, which enhances signature validity, when client uses specific mail client app, although it can be faked yet one must know which client app the sender would use and if was able to have information to this length I guess signature validity would be an easy task to break it further.
Also, I was advised by a friend to duplicate the signing headers in order to disallow spoofing signature further, while I couldnt see how nor populate a proof of concept, I removed it but if someone understand it, I would appreciate their elaboration, surely with thanks :) 

Good luck.

Zakaria.

Reply via email to