Hi, Heiko - On 31 January 2017 at 16:44, Heiko Schlittermann <[email protected]> wrote:
> The RFC5322.From header may contain multiple addresses. > If the From: field contains more than one address, the Sender: field > *must* be present. So, I believe, you should check From: *and* Sender: > Hmm, I'm not convinced… As I explained, I'm basing my choice of which DKIM key to sign with on the use of DMARC to verify the messages at the receiving system. In the DMARC RFC section 6.6.1 Extract Author Domain <https://tools.ietf.org/html/rfc7489#section-6.6> it (in extracts) says: The domain in the RFC5322.From field is extracted as the domain to be evaluated by DMARC. … In order to be processed by DMARC, a message typically needs to contain exactly one RFC5322.From domain (a single From: field with a single domain in it). Not all messages meet this requirement, and handling of them is outside of the scope of this document. Typical exceptions, and the way they have been historically handled by DMARC participants, are as follows: … - Messages bearing a single RFC5322.From field containing multiple addresses (and, thus, multiple domain names to be evaluated) are typically rejected because the sorts of mail normally protected by DMARC do not use this format; Although admittedly the final paragraph of the section does go on to say: The case of a syntactically valid multi-valued RFC5322.From field presents a particular challenge. The process in this case is to apply the DMARC check using each of those domains found in the RFC5322.From field as the Author Domain and apply the most strict policy selected among the checks that fail. There is no mention anywhere of DMARC using the RFC5322.Sender address to verify the authentication of the incoming message, so I'm not convinced as to the benefit of selecting a DKIM key to sign with based on the domain of that address. Also, using local knowledge of our setup, the systems we use on campus are *highly* unlikely to generate outgoing emails with multiple addresses in the RFC5322.From so I'm comfortable with using its (single) address to select the signing key. If I wanted to cover all bases then based on the above I'd instead be looking to generate a DKIM signature for each distinct domain of ours present in the RFC5322.From addresses, not on the RFC5322.Sender address. A question… Does Exim support generating multiple DKIM signatures from a list of domains? The dkim_domain, dkim_selector, dkim_private_key etc options only seem to take strings as their arguments, not lists of strings, so I can't envision how this would be done? Cheers, Mike B-) -- Systems Administrator & Change Manager IT Services, University of York, Heslington, York YO10 5DD, UK Tel: +44-(0)1904-323811 Web: www.york.ac.uk/it-services Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
