I was tracing down a strange bug in which mail sent to a role account in an IETF working group was forwarded to the recipient's Gmail account and appeared with a big ugly security warning saying invalid DKIM signature. I found that the sender's mail system adds a DKIM signature that oversigns the Resent-xxx headers (i.e., it asserts that they don't exist.) When the IETF forwards the mail, it correctly adds Resent-xxx headers, which breaks the signature and causes the warning.
The sender tells me that his mail provider uses Exim, and says that it oversigns Resent-xxx headers by default, which means that nobody is allowed to forward the mail. That seems ill-advised since one of the points of DKIM is that forwarding works, unlike SPF. He also claimed that RFC 6376 says to do that, but it doesn't. It does warn that Resent-xxx headers can be reordered which can break signatures, but that's not the problem here. By coincidence, yesterday the IETF DKIM working group met and one of the authors of RFC 6376 confirmed to me that oversigning Resent-xxx headers is not what they intended. Does Exim do that by default? If so, please don't. R's, John -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## [email protected] ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
