Incoming SMTP in the year 2017 and absence of DKIM
gtaylor at tnetconsulting.net
Sat Dec 2 07:18:17 CST 2017
On 11/30/2017 07:38 PM, John R. Levine wrote:
> I did a draft of a double signing thing that let the sender say who's
> expected to sign a modified forwarded version. The big mail systems
> weren't interested. They want the recipient system to decide.
Okay, I've now read your draft and have some questions.
How would the !fs tag enable multiple forwarders?
The only way that I can think of is for the originating mail server to
DKIM sign the message twice, 1st with the classic DKIM-Signature w/o the
!fs tag, and 2nd with a DKIM-Signature that includes the !fs tag with a
value of of the recipient's domain.
I would assume that would mean that the recipient could then forward the
message to a new recipient and that their outgoing mail server would
also sign twice, 1st with classic DKIM-Signature w/o the !fs tag, and
2nd with a DKIM-Signature that includes the !fs tag with a value of the
new recipient's domain.
A1: DKIM-Signature: ... d=domainA.example ...
A2: DKIM-Signature: ... d=domainA.example; !fs=domainB.example ...
B1: DKIM-Signature: ... d=domainB.example ...
B2: DKIM-Signature: ... d=domainB.example; !fs=domainC.example ...
C1: DKIM-Signature: ... d=domainC.example ...
C2: DKIM-Signature: ... d=domainC.example; !fs=domainD.example ...
D1: DKIM-Signature: ... d=domainD.example ...
D2: DKIM-Signature: ... d=domainD.example; !fs=domainE.example ...
E1: DKIM-Signature: ... d=domainE.example ...
E2: DKIM-Signature: ... d=domainE.example; !fs=domainF.example ...
(I suppose that this pattern could go on forever.)
Is this what you were intending? A list of DKIM-Signatures linked via
If I do understand correctly, I think that it's intriguing. I'm not
aware of anything else that would work quite the same way.
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
More information about the NANOG