On Thu, 23 May 2024, Philip Guenther wrote:
** or don't over-sign and clients use the first found...
I would prefer not to go there. A message with two Content-Type headers
or two Subject headers or Date or Message-ID and so forth is not a valid
message, and a DKIM signer or validator should just say no.
I'm not familiar with DKIM validators that also apply those sorts of "too
many instances of a field" rules. Perhaps it would make sense to talk
about that in a revision of the DKIM rfc, ...
More than a decade ago Doug Otis went on endlessly about adding an extra
subject line, which indeed in some cases would get past a DKIM validator,
and pretty much randomly MUAs might show one subject or the other. You
can do much more effective filtering by assuming defective messages are
spam, which they invariably are, rather than screwing around with
signatures on them.
This current round of visibility on risks of the l= tag and not signing
content-type is a moment where *signers* are being prodded and updating
their configurations. ,,,
For about the tenth time, this particular issue is specifically called out
in RFC 6376. It is not new, it is not interesting beyond noticing that a
trickle of signers still get it wrong. If people don't read the spec,
there's not much we can do about it.
R's,
John
_______________________________________________
Ietf-dkim mailing list -- [email protected]
To unsubscribe send an email to [email protected]
