On Fri, Feb 3, 2023 at 5:14 PM Michael Thomas <[email protected]> wrote: > That said, I don't know why we didn't make To:, Cc: and Subject: > mandatory signed fields. But even if it's not mandatory, that should be > a signal that the message should be given increased scrutiny. >
RFC 4871 included those as SHOULD when selecting what to sign. In RFC 6376 we backed off of that to more general guidance rather than listing specific header fields. In RFC 5451, we carved out the possibility that a verifier might decide a DKIM signature not covering Subject (for example) might reject such a signature even if it validates because it's not covering important displayed content. I know OpenDKIM exposed this as a configuration option. But with respect to replay: Even if To and Cc are signed, there's nothing in DKIM requiring that they reflect any identities present in the envelope. -MSK
_______________________________________________ Ietf-dkim mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-dkim
