DKIM Deployment

[Serge Aumont <>]

Hi

On 04/23/2010 04:04 PM, Jose-Marcio Martins da Cruz wrote:
>
> Hello,
>
> I've just felt on a problem with CNAMES, not related to DKIM, but
> which can have some implications.
>
> Well, the *default* sendmail configuration has confDONT_EXPAND_CNAMES.
> Brian Costales Bat Book recommends to change the default configuration
> to True, which most people don't, as this isn't the default value.
>
> So, consider a hostname defined as (hopefully, there aren't too many) :
>
> lists-one.domain.com.     CNAME   lists.domain.com.
> lists.domain.com.         A       1.2.3.4
>
> When sendmail receives this, with the default configuration option it
> will replace the contents of headers (To:, CC: and probably others
> too) referencing list-one.domain.com to lists.domain.com.
>
> And this can break DKIM signature.
>
> Did someone other than me already found this ?
It seems to me that the domain part of a valid email must be a CNAME or
a MX, not an alias.

 is not a valid email address.

That my understanding of RFC 1912 section 2.4 :

   "A CNAME record is not allowed to coexist with any other data.  In
   other words, if suzy.podunk.xx is an alias for sue.podunk.xx, you
   can't also have an MX record for suzy.podunk.edu, or an A record, or
   even a TXT record. 


So the question of a valid DKIM signature of this invalid email should
not be considered.

Serge Aumont