Michael Paoli Michael.Paoli@cal.berkeley.edu
Fri Aug 18 06:07:04 PDT 2017

> From: "Rick Moen" <rick@linuxmafia.com>
> Subject: Re: BALUG-Talk and SPF/DKIM
> Date: Thu, 17 Aug 2017 06:31:48 -0700

> To the best of my recollection (and I'm presently busy and cannot
> double-check all of this), some subset of the full SMTP headers are
> included in the DKIM attestation.  I can't remember which, nor whether
> the DKIM-issuing operator can decide which.  I vaguely recall that the
> extra headers MLMs intentionally add, the MLM footer, the MLM
> modification to the Subject header (like adding [DNG]), and more are all
> somewhat problematic for DKIM validation.

Been a while since I looked at it, but as I seem to recall, with DKIM
the sender (e.g. MTA) can specify and use within DKIM, exactly which
header(s) are included in DKIM - and any headers not specified as
included with DKIM are ignored as far as DKIM is concerned.  I forget
exactly how the body works with DKIM - whether it must be included,
or is optional as to whether or not it's included.

Anyway, DKIM can be not that horrible - and even useful/beneficial - *if*
it's reasonably used.  And, it can also be an impossible nightmare if
it's used quite improperly.  I don't think there's anything in DKIM
that prevents one from, e.g. misconfiguring an MTA to DKIM sign
headers that ought never ever be signed.  At least that's what I
seem to recall from earlier.  I also recall some handy tool(s) on
Linux to (manually) check DKIM on a given, e.g. file or stdin
of a full mail message with headers 'n all.  Don't recall what tool
I used for that though ... let's see if this might help my
memory ...
$ apropos dkim
dkimproxy-sign (1)   - computes a DKIM signature for an email message
dkimproxy-verify (1) - insert here a description
Mail::DKIM (3pm)     - Signs/verifies Internet mail with  
DKIM/DomainKey signa...
Mail::DKIM::Algorithm::Base (3pm) - base class for DKIM "algorithms"
Mail::DKIM::AuthorDomainPolicy (3pm) - represents an Author Domain  
Signing Pr...
Mail::DKIM::Canonicalization::Base (3pm) - base class for  
canonicalization me...
Mail::DKIM::Canonicalization::DkimCommon (3pm) - common  
canonicalization methods
Mail::DKIM::DkimPolicy (3pm) - represents a DKIM Sender Signing  
Practices record
Mail::DKIM::DkPolicy (3pm) - represents a DomainKeys Sender Signing  
Policy re...
Mail::DKIM::DkSignature (3pm) - represents a DomainKeys-Signature header
Mail::DKIM::DNS (3pm) - performs DNS queries for Mail::DKIM
Mail::DKIM::Policy (3pm) - abstract base class for originator  
"signing" policies
Mail::DKIM::PrivateKey (3pm) - a private key loaded in memory for DKIM signing
Mail::DKIM::Signature (3pm) - represents a DKIM-Signature header
Mail::DKIM::Signer (3pm) - generates a DKIM signature for a message
Mail::DKIM::SignerPolicy (3pm) - determines signing parameters for a message
Mail::DKIM::TextWrap (3pm) - text wrapping module written for use with DKIM
Mail::DKIM::Verifier (3pm) - verifies a DKIM-signed message
Hmmmm... not sure what I might've used before ... it's been several years
or more.  Mail::DKIM::Verifier looks probable, or perhaps dkimproxy-verify,
but I don't specifically recall.

More information about the BALUG-Admin mailing list