Re: [mailop] DKIM headers - which do you sign and why?

Fri, 20 Jul 2018 09:39:06 -0700 

On 07/19/2018 11:18 PM, Autumn Tyr-Salvia wrote:

Hello Email Folks,


Hi Autumn,


I know signing the From: field is required by spec, but I think 
everything else is technically optional. For those of you who have been 
in the position of choosing which headers to sign and which not to, 
would you be open to sharing your reasoning with me? Any words of wisdom 
around headers they really should or should not sign?


Here's what I sign.

Cc
Content-Disposition
Content-Language
Content-Transfer-Encoding
Content-Type
Date
From
In-Reply-To
Message-ID
MIME-Version
References
Reply-To
Resent-Date
Resent-From
Resent-To
Resent-Cc
Sender
Subject
To
User-Agent

I basically sign all headers that I think should not change in transit.


The only one that /might/ be a problem is Cotent-Transfer-Encoding, 
particularly if a message must be converted from 8-bit to 7-bit.



It's also important to think about what headers to /over/ sign as that 
prevents adding any extra instances of over signed headers.


I over sign the following headers:

Cc
Content-Disposition
Content-Language
Content-Transfer-Encoding
Content-Type
Date
From
In-Reply-To
Message-ID
MIME-Version
References
Reply-To
Resent-Date
Resent-From
Resent-To
Resent-Cc
Sender
Subject
To
User-Agent


Note:  You want to NOT over sign headers that you know will be added. 
I.e. Received: headers



Side comment about DKIM and mailing lists.  -  I view mailing lists as 
being a terminal endpoint for email.  As such, I'm of the opinion that



1)  SPF / DKIM / DMARC should be validated as they are received from the 
sender.

2)  Remove the associated headers before entering the mailing list.
3)  Add new counterpart headers as /new/ messages leave the mailing list.


Insight much appreciated!



I don't know that my /opinion/ counts as "insight" per say.  But here's 
hoping it helps or at least makes you ask questions who's answers help.  ;-)



Thanks,


You're welcome, and good luck.



--
Grant. . . .
unix || die




Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop























					Reply via email to