Actually, I was just discussing these things - this is just regarding the new requirements from Google and Yahoo starting Feb 1st.
What happens, if a mail is sent from AmazonSES, with a signature key from amazonses.com, but with a header from set to something different, like hoffrichter.no Would that count as signed from Google? Would that be just an invalid signature, even though it is technically validly signed? It is only tangentially interesting for signing from Postfix, but a very interesting topic, especially together with someone who has a lot of experience in dkim signing! Regards, Jens On Thu, Nov 2, 2023 at 11:50 AM Scott Kitterman via Postfix-users <postfix-users@postfix.org> wrote: > > > > On November 2, 2023 10:18:38 AM UTC, Jaroslaw Rafa via Postfix-users > <postfix-users@postfix.org> wrote: > >Dnia 2.11.2023 o godz. 09:42:01 Matus UHLAR - fantomas via Postfix-users > >pisze: > >> (once more: DKIM applies on header From:, SPF on envelope from:). > > > >And DMARC requires that both be identical (actually, from the same domain - > >user part may be different), which makes things even harder. > > This is only true for strict alignment, which is not the default. For > relaxed alignment (which is the default and what most domains use), the Mail > From domain (for SPF) and the DKIM signing domain (for DKIM) need to be > either the same domain as the body From domain or a subdomain. This provides > significant flexibility relative to the strict alignment requirements, but > this is little to do with the topic of the thread. > > Scott K > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
