On Fri, Jun 9, 2023 at 2:14 AM Barry Leiba <barryle...@computer.org> wrote:
> > One case I saw multiple times where DKIM fails while SPF verifies is > when the > > message contains a line starting with "from " which some agent changes to > > ">from ". Some signing software eliminates such lines before signing, > but > > that's not in the spec, so one cannot say a signer is defective if it > doesn't > > do it. > > Have you seen that happen in the MTA relay process (in transit), or > only after final delivery? I can see that an MDA or a recipient MUA > might do that, but it should *not* happen in transit, so it shouldn't > affect DMARC processing. Do you have actual examples where an MTA is > making that change and breaking the DKIM sig? > My impression is that this translation (from "From " to ">From " and back) is only supposed to happen at the endpoints. If done properly, the signature would be generated after the translation on egress and verified prior to the translation on ingress. DKIM is supposed to be executed against the content that will be "on the wire". If it's being done in flight, something is broken. And signing software shouldn't be mutating messages ever (other than adding signatures, of course). -MSK, participating
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
