[dkim-dev] How to interpret ADSP
daniel at cacert.org
Mon Sep 28 03:20:17 PDT 2009
> I am currently implementing DKIM features into a mailing list software
I noticed this the other day - http://www.sympa.org/manual/dkim - great work.
Looking forward to doing my upgrade to Sympa 6+.
> mailing list server may change subject or
> add an attachement to message body
any chance of a global dkimfriendly=true to globally disable dkim unfriendly
options? It would make a listmaster's life easer if they wanting a dkim
friendly policy and had a large number of listowners to deal with.
> The development version allows sympa add a signature by the list server
> it self. ....
Good to see a remailer signature here and one list server developer taking
DKIM seriously. Well done and thank you.
> My question is related to the interpretation of this sentence from rfc
> 5617 (ADSP) section 3.2 :
> o If a message has a Valid Signature other than an Author Domain
> Signature, the receiver can use both the Signature and the ADSP
> result in its evaluation of the message.
> Does this mean that teh receiver should check the "From:" domain ADSP record
assuming the signature is valid ?
The ADSP record really only has meaning if the Author Domain Signature is
To me it says the receiver can check the Author Domain Signature and the non-
author domain signature and come up with a solution in some magical non-
> What should the receiver MTA do with such message depending if the ADSP
record for subscriber.domain is "discardable" or 'all' ?
You can take one of two opinions:
Assuming that it is unlikely that you would be chaining another intermediary
mailer before the sympa email list.
In this case there is no reason for the signature to be broken or missing
hence you could reject/discard the email where dkim-adsp=discard or fail
(rfc5617 - 5.4)
Assume that a intermediary mailer could break the ADSP and add its own third
In this case your in the same boat as every other poor email admin trying to
determine what to do with dkim-adsp=discard or fail because of email lists (or
intermediary mailer) breaks.
My suggestion here is to create a white list of IPs, envelope senders or DKIM
domains that can fail ADSP and still be accepted. This should probably be
confirmed by a list master, owner or moderator rather than a subscriber or
automated acceptance. Perhaps there should even be two lists - one for
ADSP=all and the other for ADSP=discardable.
Push back a confirm probe to the Reply-To/Sender/From address and confirm the
email. Of course if the intermediary emailer forces the Reply-To to their list
address you could be in the nasty situation of requesting confirmation from a
list of people. Oh well can't always win but its better than letting
unconfirmed forgeries though:-).
Other options here most welcome. I'm really trying to work out what to do here
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://mipassoc.org/pipermail/dkim-dev/attachments/20090928/7c08761e/attachment.bin
More information about the dkim-dev