dovecot mailing list (this mailing list), DKIM, SPF and DMARC

hi at zakaria.website hi at zakaria.website
Fri Oct 21 21:50:43 UTC 2022 

On 2022-10-11 14:05, Benny Pedersen wrote:
> hi at zakaria.website skrev den 2022-10-11 13:42:
>> On 2022-09-13 13:10, Benny Pedersen wrote:
>>> hi at zakaria.website skrev den 2022-09-13 14:03:
> 
>> from:from:reply-to:date:date:message-id:message-id:to:to:cc:
>>      mime-version:mime-version:content-type:content-type:
>>      in-reply-to:in-reply-to:references:references
>> 
>> Thanks to my friend who didnt need a credit, and helped me out in
>> reaching this solution.
> 
> i have no frinds, but it might be related 
> https://gitlab.com/fumail/fuglu/-/issues/262
> 
> with my conservative list of signed headers it pass

Indeed, it's because you set the following headers in dkim signing 
headers:-

from : subject :
     date : to : message-id

Although not sure why you've added some space, as per standards I think 
only colon separated list its the compliant format like the following:-

from:subject:date:to:message-id

Anyhow this is my final update, the previous headers set which I 
included wasnt perfect as cc header was causing a trouble, given it can 
fail at some point e.g. when replying more than one time to the same 
recipient through a mailing list, and mind me OX and iRedMail, I had to 
check your signing headers set, hopefully you are ok for me to present 
it here as the optimal one to avoid DKIM failures:-

OX:-
Date:From:To:In-Reply-To:References:Subject:From

IRM:-
x-mailer:message-id:in-reply-to:to:references:date:subject
     :mime-version:content-transfer-encoding:content-type:from

iRedMail seems to be the best headers set given it includes X-Mailer 
header, which enhances signature validity, when client uses specific 
mail client app, although it can be faked yet one must know which client 
app the sender would use and if was able to have information to this 
length I guess signature validity would be an easy task to break it 
further.

Also, I was advised by a friend to duplicate the signing headers in 
order to disallow spoofing signature further, while I couldnt see how 
nor populate a proof of concept, I removed it but if someone understand 
it, I would appreciate their elaboration, surely with thanks :)

Good luck.

Zakaria.

More information about the dovecot mailing list