DKIM Deployment

[Jim Fenton <>]

Jesse Thompson wrote:
> Well, it seems that my understanding of DKIM was way off.  I had 
> always assumed that DKIM was immune to the issues involved with 
> forwarding.  I had hoped to use DKIM as a way to whitelist mail from 
> specific organizations (and to not depend the messages coming to our 
> servers from specific sources.)  Now, I don't see how DKIM is 
> significantly better than SPF, or just plain old IP exemptions. :-(
>
> I feel dejected.  Does anyone care to enlighten me?

I'll try.  I'm missing some context here, but Ned appears to be 
criticizing DKIM in the context of all the things that intermediaries 
sometimes do:

Forwarding
List Expansion
MIME downgrading/upgrading
Content conversions
etc.

Let's take those individually:

Forwarding -- "transparent" forwarders that don't do any of the other 
things will generally not break DKIM signatures.  Some forwarders do 
spam/virus filtering and may insert header fields as a result of that; 
the insertion of header fields (particularly if they're inserted in the 
right order, i.e., the top of the header block) will not break 
signatures unless the signer has intentially signed a non-existent 
header field to make sure that the header can't be added without 
breaking the signature.  Nobody signs non-existent headers, so that 
isn't a problem.  The only likelihood is that the insertion of [SPAM] or 
something like that in the subject line will break the signature if the 
signature is signed.

Forwarders generally act on behalf of the recipient, so as the recipient 
you should know what to expect.

List expansion -- There is a school of thought that messages that pass 
through mailing lists aren't really forwarded at all, they're sent anew 
by the list manager.  Reasonable people disagree on this, but for those 
that argue that the messages are sent anew, it's appropriate that the 
signature come from the list manager.  Personally, when I subscribe to a 
mailing list, I want all the messages on the list, and if there's spam 
on the list, I expect the list owner to police that or I will probably 
unsubscribe.  So I'm really more interested in whitelisting the mailing 
list than the participants, and therefore am more interested in a DKIM 
signature from the mailing list than whether or not the participants' 
signatures survive.

MIME downgrading/upgrading and content conversions -- I haven't seen 
much (any) of that being done between domains (between the signer and 
the verifier).  It's sometimes done within the domain of the sender or 
recipient, and if so, they have an incentive to place that capability 
before signing or after verification.

So even though there are certain things that can legally done by transit 
MTAs that will break DKIM signatures, that doesn't mean that there is, 
in practice, a problem.

-Jim

P.S.  What's the audience of the mailing list for the mailing list you 
quoted?