On 2025-07-23 John Levine via Exim-users <[email protected]> wrote: > I was tracing down a strange bug in which mail sent to a role account > in an IETF working group was forwarded to the recipient's Gmail > account and appeared with a big ugly security warning saying invalid > DKIM signature. I found that the sender's mail system adds a DKIM > signature that oversigns the Resent-xxx headers (i.e., it asserts that > they don't exist.) When the IETF forwards the mail, it correctly adds > Resent-xxx headers, which breaks the signature and causes the warning.
> The sender tells me that his mail provider uses Exim, and says that it > oversigns Resent-xxx headers by default, which means that nobody is > allowed to forward the mail. That seems ill-advised since one of the > points of DKIM is that forwarding works, unlike SPF. > He also claimed that RFC 6376 says to do that, but it doesn't. It > does warn that Resent-xxx headers can be reordered which can break > signatures, but that's not the problem here. By coincidence, > yesterday the IETF DKIM working group met and one of the authors of > RFC 6376 confirmed to me that oversigning Resent-xxx headers is not > what they intended. > Does Exim do that by default? If so, please don't. That would be https://bugs.exim.org/show_bug.cgi?id=2394#c5 cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## [email protected] ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
