> On May 26, 2016, at 1:25 PM, Joel Beckham <j...@bombbomb.com> wrote: > > Are there any negative consequences to consider before excluding message-id > from our signature? > > I'm working towards p=reject on bombbomb.com and found that Securence / > usinternet.com (A forwarder) gets a measurable percentage of our mail and > modifies the message-id in the process. This breaks our DKIM signature and > causes DMARC to fail at the destination. Working directly with them, I've > learned that they're unable to preserve the signed message-id. > > RFC4871 says it "SHOULD be included", but not required. RFC6376 adds, which > is the part that has me concerned, that: > > Verifiers may treat unsigned header fields with extreme > skepticism, including refusing to display them to the end user or > even ignoring the signature if it does not cover certain header > fields.
Probably not. It increases your vulnerability to simple replay attacks significantly, but they're not really a thing. DKIM validators are unlikely to care - that warning is more about things like the Subject, Date, and other user-visible fields, I think. (In theory, if they change the message-id it is - by definition - no longer the same message and it shouldn't authenticate. But, eh.) I might try reaching out to Securence too and see if they're prepared to fix their behaviour as it's probably breaking things for many of their users, not just your recipients. Cheers, Steve _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
