Here's an example. The top signature is from the list, the second and third signatures were applied by the sender. The second is the normal signature and the third a weak conditional signature. The third has cs=fs which means it's only valid with an additional (forwarder) signature, and fs=t means that signature has to be from the domain on the To: line.
When the list does its thing, it invalidates the strong signature from the original sender, but it adds its own signature which satisfies the weak signature's condition, so the weak signature becomes valid. DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=s1024; d=discussionlists.org; h=From:To:Reply-To:Date:Subject:MIME-Version:Content-Type:List-Unsubscribe:Message-ID; bh=... b=<this is the signature added by the list on the way out> DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=s1024; d=sender.example; h=From:To:Reply-To:Date:Subject:MIME-Version:Content-Type:List-Unsubscribe:Message-ID; bh=... b=<this is a "strong" signature that covered the entire message and isn't valid any more> DKIM-Signature: v=2; a=rsa-sha1; c=relaxed/relaxed; s=s1024; d=sender.example; h=From:To:Date; l=0; cs=fs; fs=t; bh=... b=<this is a "weak" forwarding signature that covers part of the message> From: [email protected] To: [email protected] Subject: [discussion-l] cat videos lol List-Id: <discussion.discussionlists.org> blah blah -- This is the discussion-l list, with a beautiful message footer. _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
