>I think deployment of DKIM require a good support of DKIM by some of the >major mailing list software. I am one of the author of Sympa mailing >list software and I feel concerned by this. What a mailing list manager >must do with DKIM ?
This is a rather contentious point. One model which we might call the "thin" model considers mailing lists to be essentially mail forwarders, so the identity of the mail is that of the original sender. This encourages list software to minimize the changes they make to mail on the way through to avoid breaking the signature, and perhaps to add its own signature on the way through. IIM had a few hacks intended to help this, a length to tell the recipient that the signature doesn't cover all of the message, and duplicated headers so that it can log what, e.g., the Subject line said before the list added a [listname] tag. I've never seen a persuasive description of what recipients are supposed to do with mismatched subject lines and chunks of unsigned trailing material but I expect people who think it's a good idea can explain it. Another way to be sure the signature stays intact would be to encapsulate every incoming signed message like a one-message MIME digest, but list reading users would probably not enjoy that. The other "thick" model considers the mailing list to be the originator of the message. In this model, the list software would strip off the signature from the incoming message, do whatever it does to the message, and re-sign it on the way out. This better matches modern list software that does things like reordering and deleting MIME parts and flattening HTML to plain text. There are a variety of plausible things it might do with the inbound signature, ranging from discarding it (on the theory that it's the list's reputation that matters for list mail, not the reputation of the contributors) to using a proposed header to log the fact that the inbound message had a good signature, and signing that. Depending on your view of what a list is and the way your list software works, you could try and implement either of these. One thing I can definitely promise is that people will have religious beliefs as deep and irrational as the ones they have about Reply-To: headers, so no matter what you do, you can be sure that someone will tell you that you are an idiot for not doing it his way. R's, John _______________________________________________ ietf-dkim mailing list http://dkim.org
