On 27/10/2025 2:00 pm, Inveigle.net wrote:
The motivation document indicates a requirement for the full set of headers to be included in a bounce message (optional per RFC3462), but as the rt=, mf= and pp= or nd= tags are all signed along with a hash of the now non-existent body, it is impossible to verify the the chain of custody even with the full set of headers. It leaves open the potential for a malicious actor to send bounces back up the chain and even manipulate the chain if the intermediary either doesn't or cannot store additional state information regarding the routing of every instance of every message they handle.
I realised there was a mistake with my analysis here. The body hash is present in the signature so it is possible to verify the signature in the absence of the body content.
I still consider explicitly signing the next domain on delivery, independently of the DKIM2-Signature, to be the most efficient and simplest implementation.
Regards, R. Latimer Inveigle.net _______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
