Florian, > > I see - you are expecting an Authentication-Results header field > > to be added even if a signature is just being added in the same > > mail transaction. > > So far it doesn't work this way, the Authentication-Results is added > > based on existing (if any) signatures in a message. On its way out > > a signature is added if appropriate, but this does not add its > > own Authentication-Results. Is this what is happening? > > exactly. This would help me to determine the validity of e-mails from > user1@mydomain to me@mydomain. Sure, there are other means available, > like S/MIME or PGP, but I thought that the header would be added all > of the time, so it's an easy verification for me if the mail is valid.
> Ah, okay, I guess this explains quite a few things. Exactly, on > e-mails to external recipients, DKIM signature is added, but no > Authentication-Result headers. For local mails, only DKIM is added, > but no Authentication-Results at all. For mailing lists, however, > sometimes Authentication-Results headers are added. I guess this has > to do with the mail flow and the question if a DKIM signature has been > added in the same transaction, or if it came already with the external > e-mail. Yes. > Am I right that a Authentication-Resultsare only added when the > signature has not been added in the same transaction, and only for > signatures that have no Authentication-Results headers already? Or > does the latter one not matter? The later does not matter. Think of it as a two-stage process: - a mail is received, existing DKIM signatures are verified, and the Authentication-Results is added if a recipient address is local; if there were any pre-existing Authentication-Results header fields in a message claiming to be from your domain, they are deleted - on its way out, a signature is added to a message if appropriate; this step has no influence on the previous stage > > I'm not sure if there is any value in adding Authentication-Results > > for a signature that is just being added. > > It would help in validating the e-mail easier, but this of course can > be achieved by different means. It was just not clear to me that this > is the supposed behaviour. However, I guess this explains a few of the > "issues" I might be experiencing, so I will re-check of the problems > are still existing under these preconditions. :-) I guess I should be re-reading carefully the RFC 5451 and see if it has anything to say on the matter. Asking on the [ietf-dkim] mailing list may be appropriate too. Mark ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user Please visit http://www.ijs.si/software/amavisd/ regularly For administrativa requests please send email to rainer at openantivirus dot org