Mark Martinec writes: > Thanks Justin and Daryl. > > > > (a) Is "From:addr" rather than "EnvelopeFrom:addr" the right header to > > > use? > > I'd say yes. DK signs the message, not the envelope. I'm pretty sure > > the current milters look for a From: header to decide on what > > selector/etc to use. > > Right, DK (as well as DKIM) uses addresses in the header, not envelope. > DK would choose Sender if it exists, otherwise a From, to obtain the > signer domain. DKIM is more sophisticated (could use Resent-From,...), but > basically, for direct mail the From header field is the most important one. > > > (b) are Y! signing all mail? I would have assumed some systems are not > > yet using DK. > > This is a key question here. I'd hope yes, since Yahoo was the leading > proponent in establishing this technology (now aiming for DKIM). > > Although their policy record still says 'testing' and 'signs SOME mail': > > $ host -t txt _domainkey.yahoo.com > t=y\; o=~\; n=http://antispam.yahoo.com/domainkeys > > I think they are just conservative, trying to avoid some broken recipient's > mailer from rejecting their genuine mail, or to avoid problems with mailing > lists invalidating signatures when their user posts there. > > > In 3.1.x, you have to set priority manually, unfortunately, to be higher > > than both of the subrules. in 3.2.x, it'll do that automatically for you. > > Thanks for the info. > > > Personally I'd cut the score in half. > > Ok, perhaps. > > > Slow DNS could cause FPs -- I've seen it happen > > on mail from rogers.com which Y! runs. > > Interesting. Further experience is welcome. The _domainkey.yahoo.com > TXT policy record has TTL set to two hours, and one of their public > keys (s1024._domainkey.yahoo.com) has a lifetime of 24 hours - so a > local caching DNS resolver is likely to retrieve the policy from > its cache, or from any one of the 5 registered Yahoo name servers. > As far as I can tell, it is a global Yahoo thing, not something > pertaining to one or another of their servers. > > What about gmail.com? They seem to be signing their mail too > (see: host -t txt beta._domainkey.gmail.com) but also avoid full > commitment in their policy (no policy => default policy). > Any experience there?
ah. Here's another one that just occurred to me -- (c): if you're keying off the From: header, watch out for mailing list traffic that appends a footer to the body. That will cause a verification failure, and fire the rule. in other words: - sender @ yahoo.com sends mail to mailmanlist @ somelist.com; - mailmanlist @ somelist.com appends the mailman footer to the body text/plain part; - recipient gets message, reads From addr, verifies DK sig, which now fails. --j.