Mark Martinec writes:
> Thanks Justin and Daryl.
>
> > > (a) Is "From:addr" rather than "EnvelopeFrom:addr" the right header to
> > > use?
> > I'd say yes. DK signs the message, not the envelope. I'm pretty sure
> > the current milters look for a From: header to decide on what
> > selector/etc to use.
>
> Right, DK (as well as DKIM) uses addresses in the header, not envelope.
> DK would choose Sender if it exists, otherwise a From, to obtain the
> signer domain. DKIM is more sophisticated (could use Resent-From,...), but
> basically, for direct mail the From header field is the most important one.
>
> > (b) are Y! signing all mail? I would have assumed some systems are not
> > yet using DK.
>
> This is a key question here. I'd hope yes, since Yahoo was the leading
> proponent in establishing this technology (now aiming for DKIM).
>
> Although their policy record still says 'testing' and 'signs SOME mail':
>
> $ host -t txt _domainkey.yahoo.com
> t=y\; o=~\; n=http://antispam.yahoo.com/domainkeys
>
> I think they are just conservative, trying to avoid some broken recipient's
> mailer from rejecting their genuine mail, or to avoid problems with mailing
> lists invalidating signatures when their user posts there.
>
> > In 3.1.x, you have to set priority manually, unfortunately, to be higher
> > than both of the subrules. in 3.2.x, it'll do that automatically for you.
>
> Thanks for the info.
>
> > Personally I'd cut the score in half.
>
> Ok, perhaps.
>
> > Slow DNS could cause FPs -- I've seen it happen
> > on mail from rogers.com which Y! runs.
>
> Interesting. Further experience is welcome. The _domainkey.yahoo.com
> TXT policy record has TTL set to two hours, and one of their public
> keys (s1024._domainkey.yahoo.com) has a lifetime of 24 hours - so a
> local caching DNS resolver is likely to retrieve the policy from
> its cache, or from any one of the 5 registered Yahoo name servers.
> As far as I can tell, it is a global Yahoo thing, not something
> pertaining to one or another of their servers.
>
> What about gmail.com? They seem to be signing their mail too
> (see: host -t txt beta._domainkey.gmail.com) but also avoid full
> commitment in their policy (no policy => default policy).
> Any experience there?
ah. Here's another one that just occurred to me -- (c): if you're keying
off the From: header, watch out for mailing list traffic that appends a
footer to the body. That will cause a verification failure, and fire the
rule.
in other words:
- sender @ yahoo.com sends mail to mailmanlist @ somelist.com;
- mailmanlist @ somelist.com appends the mailman footer to the body
text/plain part;
- recipient gets message, reads From addr, verifies DK sig, which now
fails.
--j.
