On 16/08/2021 10:21, Ken N wrote:
I was reading this blog posting:
https://www.alexblackie.com/articles/email-authenticity-dkim-spf-dmarc/
But I am confused that, what content should DKIM signature for?
The message body or headers? what headers should be signed?
The body is always included for signing. For headers: if you want the
technical answer look at RFC6376, Section 5.4. If you use opendkim you
don't need to worry; by default it signs based on the RFC's suggested
headers (and the body), though for safety you should also set
'OversignHeaders From'.
Signing for more headers than suggested in the RFC may seem 'safer' but
is more likely to cause FPs because the other headers can be changed
legitimately by a relaying mail server.
And, in my opinion, using DKIM without DMARC is of limited value.