> On Dec 12, 2016, at 12:15 PM, Maarten Oelering <maar...@postmastery.net> > wrote: > > DKIMCore promotes the use of simple body canocalization: > http://dkimcore.org/deployment/dkim.html.
Something that might not be the most robust configuration, given Microsoft's whitespace issues, though at the time it was written the failure modes in the body of the message tended to be more spectacular than relaxed canonicalization would help with. (And the author contradicts himself in todays blog post: https://wordtothewise.com/2016/12/dkim-canonicalization-or-why-microsoft-breaks-your-mail/ ) > > Should ESPs use relaxed body canocalization instead to avoid these (rare) > validation issues? Yes. They should also probably: o Not use tabs for whitespace. o Use email addresses of the form "friendly address" <local@domain> o Avoid lines longer than 80 characters o Use quoted-printable for all body text o ... None of this is particularly important when the only fallout of a DKIM validation failure is "meh, it's email". DKIM is fragile in transit, we know that. It goes wrong when people also deploy DMARC with p=reject, which repurposes DKIM and SPF to make negative rather than positive assertions, so actually fails when both DKIM and SPF fail to validate. So we have to care more now. Cheers, Steve > > Thanks, > > Maarten Oelering > Postmastery > > On Sun, 11 Dec 2016 at 20:29, Steve Atkins <st...@blighty.com> wrote: > > > > > On Dec 11, 2016, at 8:53 AM, Dave Crocker <d...@dcrocker.net> wrote: > > > > > > On 12/10/2016 8:08 AM, Al Iverson wrote: > > >> Suggestion...modify the template to remove all the tabs or replace > > >> them with spaces, and try again. If it passes on both, then you've > > >> found that something in the delivery path is replacing tabs with > > >> spaces, invalidating the DKIM signature. > > > > > > > > > The original DKIM header field seems to show use of 'relaxed' which ought > > to make sp/tab transformations transparent. > > > > > > "Convert all sequences of one or more WSP characters to a single SP > > > character." > > > > > > hmmm... > > > > c=relaxed is identical to c=relaxed/simple, so these messages sent with > c=relaxed are sensitive to whitespace changes in the body. > > > > (Not the first time I've seen this, and it's arguably a usability bug in the > DKIM spec.) > > > > Cheers, > > Steve > > _______________________________________________ > > mailop mailing list > > mailop@mailop.org > > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
