DKIM Deployment

[Jesse Thompson <>]

Hi Jim,

The Info-IMS list is the discussion list for Sun Java System Messaging 
Server (formerly Sun ONE Messaging Server, formerly iPlanet Messaging 
Server, which has roots from Sun Internet Mail Server, Netscape 
Messaging Server, and PMDF.)

Ned is a developer for this product.  Here is another quote from Ned's 
other message in this thread.

"   attempting to keep DKIM signatures intact across multiple hops is
    an exercise in futility, so there is no point in purusing this or
    any of the dozens of other things you'd have to do to even stand a
    chance of this working.

SJSMS is a popular MTA with large ISPs, so your last statement about 
there not being a problem with DKIM signatures breaking "in practice" 
seems unlikely.

I was asking why SJSMS made the following changes to messages from 
Yahoo, which caused DKIM signatures to fail.

1. changing the case of header names
  e.g. s/Message\-ID/Message\-id/

#2. changing the value of the Content-type header
#  s/charset=us\-ascii/CHARSET=US\-ASCII/
# this one might be due to a misconfiguration

3. reformatting the Date header

Here is the diff:

--- test-dkim2-towisc-unmodified.eml    2010-01-13 10:49:19.000000000 -0600
+++ test-dkim2-towisc-2.eml     2010-01-13 10:55:53.000000000 -0600
@@ -8,15 +8,15 @@
 X-YMail-OSG:

IYTj8y0VM1lv0OCW6D9yJ0.PZddSoYgVYniqSSW.FxalEPYOyWEDfUYp2bDc5w8ajFz_fW6XFUg4waUT0JlGRynWmjX90aCiBCZhcNo6YH6mWAmL9AFxMRRjeZhkYCCC1Tlualw5GuXgltSk2aK75FpN1b0d5K2W4nykfuOSL.zOSLMLw08cDIdF.QNqQvzqghf8jQxOjmksXrSw1Ed0.kj5Kc5KmnEFVqCF9xRWhHAnSiv8QY5zy7FuyRnx2a7fhOITovC2wLkAWTCzKsti2hOue95I6DOWVkC6NoRLhwSCJhGpdo6Uo5Z9NupaJnRlkkiOOcSNFDs-
 Received: from [128.104.19.133] by web81602.mail.mud.yahoo.com via 
HTTP; Wed,
- 13 Jan 2010 08:22:31 -0800 (PST)
-Message-id: 
<>
+ 13 Jan 2010 08:22:31 PST
+Message-ID: 
<>
 X-Mailer: YahooMailRC/240.3 YahooMailWebService/0.8.100.260964
 Date: Wed, 13 Jan 2010 08:22:31 -0800 (PST)
 From: Jesse Thompson 
<>
 Subject: test dkim 2
 To: 
,
 

-MIME-version: 1.0
-Content-type: text/plain; CHARSET=US-ASCII
+MIME-Version: 1.0
+Content-Type: text/plain; charset=us-ascii

 test dkim 2

On 1/13/2010 4:40 PM, Jim Fenton wrote:
> Jesse Thompson wrote:
> > Well, it seems that my understanding of DKIM was way off. I had always
> > assumed that DKIM was immune to the issues involved with forwarding. I
> > had hoped to use DKIM as a way to whitelist mail from specific
> > organizations (and to not depend the messages coming to our servers
> > from specific sources.) Now, I don't see how DKIM is significantly
> > better than SPF, or just plain old IP exemptions. :-(
> >
> > I feel dejected. Does anyone care to enlighten me?
>
> I'll try. I'm missing some context here, but Ned appears to be
> criticizing DKIM in the context of all the things that intermediaries
> sometimes do:
>
> Forwarding
> List Expansion
> MIME downgrading/upgrading
> Content conversions
> etc.
>
> Let's take those individually:
>
> Forwarding -- "transparent" forwarders that don't do any of the other
> things will generally not break DKIM signatures. Some forwarders do
> spam/virus filtering and may insert header fields as a result of that;
> the insertion of header fields (particularly if they're inserted in the
> right order, i.e., the top of the header block) will not break
> signatures unless the signer has intentially signed a non-existent
> header field to make sure that the header can't be added without
> breaking the signature. Nobody signs non-existent headers, so that isn't
> a problem. The only likelihood is that the insertion of [SPAM] or
> something like that in the subject line will break the signature if the
> signature is signed.
>
> Forwarders generally act on behalf of the recipient, so as the recipient
> you should know what to expect.
>
> List expansion -- There is a school of thought that messages that pass
> through mailing lists aren't really forwarded at all, they're sent anew
> by the list manager. Reasonable people disagree on this, but for those
> that argue that the messages are sent anew, it's appropriate that the
> signature come from the list manager. Personally, when I subscribe to a
> mailing list, I want all the messages on the list, and if there's spam
> on the list, I expect the list owner to police that or I will probably
> unsubscribe. So I'm really more interested in whitelisting the mailing
> list than the participants, and therefore am more interested in a DKIM
> signature from the mailing list than whether or not the participants'
> signatures survive.
>
> MIME downgrading/upgrading and content conversions -- I haven't seen
> much (any) of that being done between domains (between the signer and
> the verifier). It's sometimes done within the domain of the sender or
> recipient, and if so, they have an incentive to place that capability
> before signing or after verification.
>
> So even though there are certain things that can legally done by transit
> MTAs that will break DKIM signatures, that doesn't mean that there is,
> in practice, a problem.
>
> -Jim
>
> P.S. What's the audience of the mailing list for the mailing list you
> quoted?

--
  Jesse Thompson
  Division of Information Technology, University of Wisconsin-Madison
  Email/IM:

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature