On 8/13/2023 8:31 PM, Jesse Thompson wrote:
If I understand based on my limited view of history, DKIM was designed
for authentication between two hops.
No.
In email parlance, a hop is one SMTP transit, with relaying done by MTAs.
DKIM was designed to survive from posting to delivery (for an address in
a SMTP RCPT-TO command).
That is, it was designed to survive classic MTA relaying.
What breaks a DKIM signature -- ignoring MTAs that go beyond their remit
-- is activities that take delivery and then repost. Mailing lists are
the classic example, but only an example.
(SPF, on the other, only survives one hop, except in very special cases.)
Signature survival across intermediaries was only achievable by
encouraging intermediaries to not make any changes to the message
"inside the envelope" such as standards-allowed MIME re-encoding
(which, notably, prevents intermediaries from improving MIME
interoperability).
MTAs that are doing MTA functions are not supposed to make changes to
the content and typically they don't.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
mast:@dcrocker@mastodon.social
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim
