[dkim-dev] Choosing sets of headers to sign
Hector Santos
hsantos at santronics.com
Fri Jan 12 12:32:13 PST 2007
Arvel Hathcock wrote:
> > Do you have any fields, besides Received, that you feel should/must
> > NOT be signed?
>
> I don't sign "Return-Path", "X" headers, or "Authentication-Results"
> headers. "X" type headers are too unpredictable and are often stripped
> (this is routine in my experience) by various software in the email
> transmission path. IIRC "Return-Path" has a "strip it out" directive
> written down somewhere. I've often found incoming messages collected
> from store and forward services which contain a "Return-Path". Stripping
> it breaks the signature so I don't sign that one if/when I encounter it
> in a message I'm signing. "Authentication-Results" has a criteria in
> the spec by which it too could potentially be stripped out from an
> incoming message. So, to sign headers which are, in the spec that
> defines them or through common practice, are likely to be sripped should
> never be included in signatures IMO.
Ditto on these. Another I would not promote is "Reply-To:" for optional
list server reasons.
===
HLS
More information about the dkim-dev
mailing list