On Monday 03 October 2005 18:14, Nix took the opportunity to write: > On Sat, 1 Oct 2005, [EMAIL PROTECTED] stated: > > Which begs the question I don't remember anybody asking: "What the > > <censored> is "DomainKeys" and why should it experience a special > > exception to sane ordering if header information with time of > > application ordered message tags? > > It's a scheme whereby the headers get cryptographically signed, as a > body, with a key derived from a DNS lookup; another anti-forgery > scheme, like SPF, only hopefully more forwarding-friendly. > > The idea is that relays sign the headers from a given Received: line on > down, thus validating the path a mail has taken without breaking the > ability for further relays to add Received lines. So adding things > above Received lines is safe: adding them below invalidates the DK > signature.
One remark I haven't seen yet is that the "DomainKey-Signature:" field can
include an "h" tag, which specifies which header fields are included in the
signature. If that tag is included (and I think it usually is(?)) and there
aren't already any X-Spam-* fields that have been signed, then it should be
safe to add SA's header lines below, just like before. If the "h" tag isn't
present, adding it shouldn't change the verfication status, but I don't think
it's allowed.
Always prepending SA's header lines clearly is the easiest thing to do.
> (Yes, I think it looks ugly, too.)
Me too, but it's probably just because I'm used to it. Always adding new
headers to the top has the additional benefit that it's easier to see which
relay added what.
--
Magnus Holmgren [EMAIL PROTECTED]
(No Cc of list mail needed, thanks)
pgpGShOtBkTZC.pgp
Description: PGP signature
