On 06.05.17 15:49, Thore Boedecker wrote:
After looking at the headers it became clear what the issue was:
It seems that Yahoo (at least yahoo.co.jp) is allowing emails from
@gmail.com senders to be sent through their servers.
@gmail.com From: and envelope from. Sender: was yahoo...
The funny thing is, that there is a @gmail.com address in both the
'From:' and 'Return-Path:' headers, but a @yahoo.com address in the
'Reply-To:' and 'Sender:' headers.
Somehow Yahoo sees no problem in that and is happy to DKIM sign those
emails with a correct *Yahoo* signature.
I wonder why didn't THE mail hit SPF_SOFTFAIL, since it was supposed to...
Over on my side, the receiving end of these emails, there is my
spamassassin. SA discovers the DKIM signature and is able to validate
this signature against the Yahoo server which is totally undesirable
in my opinion.
Maybe strict DKIM alignment is not always the best choice, because
sometimes the emails are signed by different servers without sharing
one signing key for the entire domain.
yes: while we can agree that gmail.com is not yahoo's domain, how can DKIM
validator know?
I don't think this problem lies at DKIM verification, more on
trustworthinedd of yahoo who signs such mail,
and the fact of missing SPF checks that I pointed out above.
So is there any way to make SA perform at least a relaxed DKIM
alignment check on the headers so that the DKIM signature domain has
to belong to the 'From:' address?
every domain using yahoo mail servers would have to delegate DKIM to
yahoo and yahoo would need to sign under all those domains.
the same applies about any domain that does DKIM signing (e.g. gmail)
that is in fact change in requirements on DKIM itself...
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I'm not interested in your website anymore.
If you need cookies, bake them yourself.
