Incoming SMTP in the year 2017 and absence of DKIM

Grant Taylor gtaylor at tnetconsulting.net
Sat Dec 2 07:18:17 CST 2017


On 11/30/2017 07:38 PM, John R. Levine wrote:
> I did a draft of a double signing thing that let the sender say who's 
> expected to sign a modified forwarded version.  The big mail systems 
> weren't interested.  They want the recipient system to decide.
> 
> https://datatracker.ietf.org/doc/draft-levine-dkim-conditional/

Okay, I've now read your draft and have some questions.

How would the !fs tag enable multiple forwarders?

The only way that I can think of is for the originating mail server to 
DKIM sign the message twice, 1st with the classic DKIM-Signature w/o the 
!fs tag, and 2nd with a DKIM-Signature that includes the !fs tag with a 
value of of the recipient's domain.

I would assume that would mean that the recipient could then forward the 
message to a new recipient and that their outgoing mail server would 
also sign twice, 1st with classic DKIM-Signature w/o the !fs tag, and 
2nd with a DKIM-Signature that includes the !fs tag with a value of the 
new recipient's domain.

A1:  DKIM-Signature: ... d=domainA.example ...
A2:  DKIM-Signature: ... d=domainA.example; !fs=domainB.example ...
<1st forward>
B1:  DKIM-Signature: ... d=domainB.example ...
B2:  DKIM-Signature: ... d=domainB.example; !fs=domainC.example ...
<2nd forward>
C1:  DKIM-Signature: ... d=domainC.example ...
C2:  DKIM-Signature: ... d=domainC.example; !fs=domainD.example ...
<3rd forward>
D1:  DKIM-Signature: ... d=domainD.example ...
D2:  DKIM-Signature: ... d=domainD.example; !fs=domainE.example ...
<4th forward>
E1:  DKIM-Signature: ... d=domainE.example ...
E2:  DKIM-Signature: ... d=domainE.example; !fs=domainF.example ...

(I suppose that this pattern could go on forever.)

Is this what you were intending?  A list of DKIM-Signatures linked via 
!fs tags?

If I do understand correctly, I think that it's intriguing.  I'm not 
aware of anything else that would work quite the same way.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20171202/1c36e96c/attachment.bin>


More information about the NANOG mailing list