From: "Rick Moen" rick@linuxmafia.com Subject: Re: BALUG-Talk and SPF/DKIM Date: Thu, 17 Aug 2017 06:31:48 -0700

To the best of my recollection (and I'm presently busy and cannot double-check all of this), some subset of the full SMTP headers are included in the DKIM attestation. I can't remember which, nor whether the DKIM-issuing operator can decide which. I vaguely recall that the extra headers MLMs intentionally add, the MLM footer, the MLM modification to the Subject header (like adding [DNG]), and more are all somewhat problematic for DKIM validation.

Been a while since I looked at it, but as I seem to recall, with DKIM the sender (e.g. MTA) can specify and use within DKIM, exactly which header(s) are included in DKIM - and any headers not specified as included with DKIM are ignored as far as DKIM is concerned. I forget exactly how the body works with DKIM - whether it must be included, or is optional as to whether or not it's included.

Anyway, DKIM can be not that horrible - and even useful/beneficial - *if* it's reasonably used. And, it can also be an impossible nightmare if it's used quite improperly. I don't think there's anything in DKIM that prevents one from, e.g. misconfiguring an MTA to DKIM sign headers that ought never ever be signed. At least that's what I seem to recall from earlier. I also recall some handy tool(s) on Linux to (manually) check DKIM on a given, e.g. file or stdin of a full mail message with headers 'n all. Don't recall what tool I used for that though ... let's see if this might help my memory ... $ apropos dkim dkimproxy-sign (1) - computes a DKIM signature for an email message dkimproxy-verify (1) - insert here a description Mail::DKIM (3pm) - Signs/verifies Internet mail with DKIM/DomainKey signa... Mail::DKIM::Algorithm::Base (3pm) - base class for DKIM "algorithms" Mail::DKIM::AuthorDomainPolicy (3pm) - represents an Author Domain Signing Pr... Mail::DKIM::Canonicalization::Base (3pm) - base class for canonicalization me... Mail::DKIM::Canonicalization::DkimCommon (3pm) - common canonicalization methods Mail::DKIM::DkimPolicy (3pm) - represents a DKIM Sender Signing Practices record Mail::DKIM::DkPolicy (3pm) - represents a DomainKeys Sender Signing Policy re... Mail::DKIM::DkSignature (3pm) - represents a DomainKeys-Signature header Mail::DKIM::DNS (3pm) - performs DNS queries for Mail::DKIM Mail::DKIM::Policy (3pm) - abstract base class for originator "signing" policies Mail::DKIM::PrivateKey (3pm) - a private key loaded in memory for DKIM signing Mail::DKIM::Signature (3pm) - represents a DKIM-Signature header Mail::DKIM::Signer (3pm) - generates a DKIM signature for a message Mail::DKIM::SignerPolicy (3pm) - determines signing parameters for a message Mail::DKIM::TextWrap (3pm) - text wrapping module written for use with DKIM Mail::DKIM::Verifier (3pm) - verifies a DKIM-signed message Hmmmm... not sure what I might've used before ... it's been several years or more. Mail::DKIM::Verifier looks probable, or perhaps dkimproxy-verify, but I don't specifically recall.