Matthew Tse via mailop <[email protected]> writes: > It seems there is some debate over whether forwarders should sign DKIM > or not for forwarded email. Kind of a question on if we want to take > "ownership" of this email.
Not really. The confusion was over whether your system was adding its own DKIM signature to the email, as is normal, or removing the existing one and replacing it with its own. The latter would be the wrong thing to do, as it would be sure to make DMARC fail: SPF would already be out of alignment, because of the forwarding, and removing the DKIM signature that the originating system added would make DKIM fail. As long as you don't alter the email body, or the headers that the DKIM signature applies to, the original signature will still be valid after the email is forwarded. As for "taking ownership", that's not a good description. A DKIM signature is just a cryptographic fingerprint of the email body and a selection of its headers (including "From:"), made using a secret key belonging to the domain doing the signing, and verifiable using a public key posted to that domain's DNS zone. What the signature says is that if you, later, can still correctly verify the signature, then the parts of the message that the signer looked at have not been changed. DMARC adds the assumption that an MTA will not send out an email purporting to be from someone in its own domain, which it holds the secret key for, without knowing that it's not a forgery. In other words, it assumes that MTAs are correctly configured, and not, for instance, open relays that anyone can connect to in order to forge email. So, any valid DKIM signature says that the message passed through the signing domain, and has not been altered since then. A valid DKIM signature that's aligned with the From: address additionally says that the signing system trusts the source of the email, and believes that the address in the From: header is genuine. -tih -- The creation of the state of Israel was a regrettable mistake. It is time to undo this mistake, and finally re-establish a free Palestine. _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
