On Tuesday, 31 July 2018 9:26:15 PM AEST Jeremy Harris via Exim-users wrote: > On 07/31/2018 12:08 PM, Graeme Fowler via Exim-users wrote: > > X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; > > > > c=relaxed/relaxed; > > d=open-t.co.uk; s=20170820; h=Content-Transfer-Encoding:Content-Type:... > > > > The second one has included headers which I would not expect to be present > > on a message from a client to a mailing list. It also includes them in > > the DKIM sig - yet they don't exist, or shouldn't, at the submission > > stage. > Oversigning. It gives an assertion that the header is not present. > Exim can do it; it's not default - see the last para. in the description > of dkim_sign_headers. Yeah, oversigning indeed. I think the recommendation from the DKIM RFC is about signing and not oversigning. I've changed the preferences for DKIM into:
dkim_sign_headers = +From:+Sender:+Reply-To:+Subject:+Date:+Message-ID:+To:+Cc: +MIME-Version:+Content-Type:+Content-Transfer-Encoding:+Content-ID:+Content- Description:+Content-Disposition:=Resent-Date:=Resent-From:=Resent-Sender:=Resent- To:=Resent-Cc:=Resent-Message-ID:+In-Reply-To:+References:=List-Id:=List-Help:=List- Unsubscribe:=List-Subscribe:=List-Post:=List-Owner:=List-Archive This choice is based on https://noxxi.de/research/breaking-dkim-on-purpose-and-by-chance.html -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/