[dkim-dev] DomainKeys vs DKIM: Identifying the Sending Domain

[Tim Gokcen]

> Tim Gokcen wrote:
>> I guess what I'm really trying to ask here is, does DKIM provide a 
>> mechanism to tell the receiving MTA *which* field a particular DKIM 
>> signature is intended to apply to?
>
> DKIM specifies which fields are part of the signature.  So I suppose the 
> question is what you mean by "apply to".  From your earlier notes in this 
> thread, you appear to focus on something akin to authorship.

Well, in the case of our pull-push forwarding system, for example, message 
headers might include:

From: Joe at originalemail.com
To: Phil at realrecipient.com
Resent-From: pushpullforwarder at mpathix.com
DKIM-Signature: h=From:To:Resent-From:<more>, d=mpathix.com, <etc.>

with a signature whose h= value includes at least all three of those header 
fields and whose d= value is mpathix.com. To oversimplify things, my problem 
is how do I make sure that the receiving MTA will go:

"mpathix.com signature that includes several fields..., oh, look, 
Resent-From is from that domain. I'll do a DNS TXT lookup on the selector 
(etc.) for mpathix.com and see if it matches this sigature...."

Currently, with DomainKeys, Yahoo goes:

"mpathix.com signature that includes several fields.... nope, neither From 
nor Sender is from mpathix.com, I can't use this DK signature for anything."

What I'd like is some kind of assurance (or ability to specify) that a 
receiving MTA will check the Resent-From field (or anything else) when 
matching the d= parameter. Maybe that lays too much of an onus on the 
receiving MTA, though. But I guess it's the distinction between "failed to 
validate because I didn't find the d= value in any outer header" and 
"ignoring DKIM header validation because I didn't find the d= value in any 
outer header *that I care about*"

Thanks for the responses so far; they've been very helpful.

-- 
Tim Gokcen
Mpathix - Development