On 06-01-22 16:54, Jeremy Harris via Exim-users wrote:
On 06/01/2022 15:38, Anton via Exim-users wrote:
can identity check fail when domain check succeeded and vice versa?
Since the signature is the same, selector is the same, etc.
If the values are different in the header, the result can be different.
I don't understand the reason to make two separate validations: one for domain
and one for identity. (In other words, the reason to put identities in
$dkim_signers list). And what to expect from them.
Imagine, the received DKIM signature contains d=example.com and
[email protected]
If example.com's DNS domainkey entry contains g=alice field, then "domain" validation
will succeed and "identity" validation will fail?
I would say that just the "domain" validation should be enough and it must fail
if the i= field in signature does not match the g= field in DNS record.
In my understanding they can't be dissociated, and the "whole thing" should
validate (or not) depending on d=, i= and g= values.
Or I'm missing something?
[Jeremy, this discussion is not very important, I just try to understand. So if
you don't have time, please feel free to skip it.]
Thanks!
A.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
