[ietf-dkim] Why mailing lists should strip DKIM signatures
aiverson at spamresource.com
Fri Apr 23 11:06:48 PDT 2010
On Fri, Apr 23, 2010 at 9:45 AM, Dave CROCKER <dhc at dcrocker.net> wrote:
> On 4/23/2010 6:50 AM, MH Michael Hammer (5304) wrote:
>> If John is making some assertion of responsibility for his message by
>> signing, what is the limit of his responsibility as the message flows through
>> the ecosystem? Where is the RFC that says his signature should be stripped?
> Most importantly, where is the specification that says a DKIM signature
> overrides The MailFrom address?
Not everything is codified in RFC or elsewhere. If John sends email to
my mailing list, and I emit that mail to the world, and it garners
complaints, it strikes me based on custom and history that I am the
responsible party. John would not be. Not directly, anyway.
>> If the list stripped his signature and someone modified what he wrote is this
>> a failure of DKIM or is it something else? What are we collectively (and
>> individually) trying to achieve if we are signing the body and not just the
> If a list already knows it should strip DKIM signatures, isn't also likely that
> the list will be able to sign?
No, because stripping the signature is currently easier than
generating a new one. Stripping the signature is just removing text.
Adding a new signature requires functionality not inherent to all MTAs
> We have no empirical data that the presence of a list signature AND an author
> signature will produce the wrong results (for some definition of wrong.)
Yeah, but clearly the author signature alone can cause what somebody
here thinks to be an imperfect result.
I tend to agree with him. I've been stripping DKIM signatures on my
own hosted mailing lists for that reason, and also so I can modify
content on the fly without the original signature failing.
More information about the ietf-dkim