> On 7 Dec 2022, at 17:16, Barry Leiba <[email protected]> wrote: > >> The purpose of a DKIM signature is, as our original statement put it, to >> make sure that a message from your >> bank actually came from your bank, even if it passed through your alumni >> association. Once it arrives to your >> real mailbox, that signature is not needed. > > As long as the signature is not removed in the alumni case I'm > somewhat less concerned, but... > > In some systems, sieve scripts and other filtering is done *after* the > MUA drops the message in the delivery mailbox. If that drop removes > the signature, that hampers the sieve/filtering process severely. A > sieve "redirect" becomes impossible, and the filtering would not be > able to use the DKIM signature for other purposes either (though it > might be able to rely on the auth-results header field for some > things. > > That's what concerns me.
Maybe there’s a split the baby piece where part of the signature is stripped. I’ll be honest, the only bits I really look at are s= and d=. Maybe stripping part (bh?) while leaving the useful bits is a solution. Of course, that is not going to address the replay attack problem at all. laura -- The Delivery Experts Laura Atkins Word to the Wise [email protected] Email Delivery Blog: http://wordtothewise.com/blog
_______________________________________________ Ietf-dkim mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-dkim
