DKIM: adjust default signed headers to allow forwarding #71
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign Sender, Resent-* and List-* headers only when present. Those headers are commonly added or altered when messages are forwarded manually or through mailing lists. The inclusion of their absence in the signature causes those messages to be rejected or marked as spam by the final recipient servers.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Sign Sender, Resent-* and List-* headers only when present.
Those headers are commonly added or altered when messages are forwarded
manually or through mailing lists. The inclusion of their absence in the
signature causes those messages to be rejected or marked as spam by
the final recipient servers.
Additional explanations from some ML:
Your email gets marked as spam when it goes through a mailing list, because the DKIM setup is wrong, and your DKIM header lines look like this: DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=[…]; s=[…]; h=Date:Message-ID:Cc:In-Reply-To:Subject:From: Content-Transfer-Encoding:MIME-Version:Content-Type:Reply-To:To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; ... and that's completely wrong when sending to a mailing list that will explicitly add things like Sender: [email protected] Precedence: bulk List-ID: X-Mailing-List: [email protected] to help people see that it got expanded by a list. But because your DKIM signature mentions fields like "List-ID", the resulting hash will obviously not match any more after having gone through the list. […] Anyway, a proper DKIM setup should have core headers like from/to/subject/in-reply-to/message-id etc in the list of protected headers. But it should _not_ try to protect things like List-ID or List-Archive, which are very much about mailing lists you might be sending things to. It also shouldn't protect things like "Sender", which again are things like list email re-sending, not in the original email. […] that's another common configuration mistake that makes DKIM useless with mailing lists. Linus "spam is my nemesis, trying to fix things" Torvalds