> On 20 Nov 2022, at 16:30, Dave Crocker <[email protected]> wrote: > > On 11/10/2022 5:32 AM, Steve Atkins wrote: >> A heuristic I’ve suggested previously is “If the recipient’s email address >> is not in the To: or Cc: header then treat the mail as unsigned”. > > Even if it is showing in a (signed) BCC field?
Definitely. I wouldn’t want to encourage any use of the Bcc field beyond the smarthost, let alone any belief that signing it was a good idea. The content of the Bcc field, or even the existence of it, at the time it’s received by the MX is at best implementation-defined. Signing it at the smarthost is going to cause DKIM to fail far more often than not. 4871 says: > The following header fields SHOULD NOT be included in the signature: > > o Return-Path > > o Received > > o Comments, Keywords > > o Bcc, Resent-Bcc > > o DKIM-Signature 6376 does not. I’m not sure why that changed. Cheers, Steve _______________________________________________ Ietf-dkim mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-dkim
