On Thu, Nov 07, 2024 at 09:49:52PM +0100, Benny Pedersen wrote: > MX skrev den 2024-11-07 05:44: > > Isn’t this just a forwarded email from Office 365 using SRS? It > > SRS does not solve rfc in dkim, h= tag misssing minimal required headers
Are we talking about them not signing Message-ID? It is not required according to RFC 6735, section "5.4.1. Recommended Signature Content" which says: There are trade-offs in the decision of what constitutes the "core" of the message, which for some fields is a subjective concept. Including fields such as "Message-ID", for example, is useful if one considers a mechanism for being able to distinguish separate instances of the same message to be core content So it does not seem required at all. On the other hand, one can certainly create SA rules that check for signatures that do not sign Message-ID that if they consider it a problem, e.g. (rough and completely untested from head): header __DKIM_SIGNS_MID DKIM-Signature =~ /\bmessage-id\b/i header __FROM_PAYPAL From =~ /paypal\.com/i meta SUSP_DKIM_PAYPAL __FROM_PAYPAL && DKIM_VALID_AU && !__DKIM_SIGNS_MID score SUSP_DKIM_PAYPAL 10 # ... or whatever of course, that's an example -- don't do that for actual paypal until they start signing Message-ID, unless you'd like their messages being flagged as spam :) Better option for this specific use case would be marking as suspicious any paypals mails that have unknown Return-Path (i.e. not one of their regular ones). But that of course becomes problematic if/when they change it... -- Opinions above are GNU-copylefted.
