On 02.11.23 12:04, Jens Hoffrichter via Postfix-users wrote:
Actually, I was just discussing these things - this is just regarding
the new requirements from Google and Yahoo starting Feb 1st.
What happens, if a mail is sent from AmazonSES, with a signature key
from amazonses.com, but with a header from set to something different,
like hoffrichter.no
Would that count as signed from Google? Would that be just an invalid
signature, even though it is technically validly signed?
google will require hoffrichter.no to have DMARC record and pass DMARC.
mail will pass the DMARC if it has valid DKIM signature from hoffrichter.no
domain.
It will also pass, if the envelope from: is also in hoffrichter.no domain
AND passes SPF check.
Thus, combined with previously posted information, mail with DKIM can be
forwarded without issued (unless you modify its content), while forwarding
mail with only SPF will lead to troubles.
It is only tangentially interesting for signing from Postfix, but a
very interesting topic, especially together with someone who has a lot
of experience in dkim signing!
Note that you can have multiple DKIM keys in DNS for mail sent from
different sources.
This is often used with massmailing services that have separate DKIM key
(selector) than your organizations' mail server.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Emacs is a complicated operating system without good text editor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
