It's unfortunate that dkim canonicalization is based on the raw message, and now on what the message represents, though defining a shared understanding of the "decoded" message along various lines would be quite complicated (IMAP somewhat does that, I guess).
In any case, obviously if you care about DKIM authentication as a receiver, you should do it before normalization as well. Brandon On Mon, Jun 12, 2017 at 9:04 AM, Vladimir Dubrovin via mailop < mailop@mailop.org> wrote: > > To normalize the message before signing is a good solution. Switching > normalization off does not solve the problem, because receiver can also > normalize the message before checking signature. > > 11.06.2017 19:17, Carl Byington пишет: > > On Fri, 2017-05-26 at 18:38 +0300, Vladimir Dubrovin wrote: > > In most cases, DKIM check fails because message was improperly > > formatted and was normalized by MTA before sending after DKIM > > signature is applied. > > We changed the mail flow so the path looks like: > > MUA -> sendmail with SMTP AUTH for outbound relaying > -> sendmail w/ opendkim signing > -> outbound targets > > The dkim failures shown on aggregate reports have almost completely > disappeared. One or more of the common mail user agents is clearly > sending slightly malformed mail, which sendmail is fixing after signing. > > It would be nice if sendmail had an option to override *all* the fixups, > but that could easily cause more problems. In particular, receiving > 8BITMIME over ESMTP, but relaying to a mail server that only supports > SMTP which needs 8->7 conversion. > > > > > > > > _______________________________________________ > mailop mailing > list > mailop@mailop.org > https://chilli.nosignal.org/ > cgi-bin/mailman/listinfo/mailop > -- > Vladimir Dubrovin > @Mail.Ru > > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > >
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop