Reputation: 79
Should I sign X headers in DKIM?
I'm using Postfix + OpenDKIM to send emails. Should I sign X headers (X-Confirm-Reading-To, X-Unsubscribe, X-Priority, etc) in DKIM?
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;
d=mydomain.com; s=mail; t=1435840997;
[email protected];
bh=5n7rgNH/UhgzXvjmn6zu+M1BL29tq5L9PEZ7SB3uQgI=;
h=To:Subject:Message-Id:From:X-Confirm-Reading-To:
Disposition-Notification-To:Return-Receipt-To:List-Unsubscribe:
List-Id:Date:X-Unsubscribe:X-Priority;
b=vxfGzczj3S4wm1QtlrPPisyi2FsbDPP+gSSEyx/VWd09xdqSiLwdsn5vJS3SF5KoB
etbHaJvmfvpbklJLwDPM4g7rRKaRmYXE3X02+E/DzsHFEz3TNPhPfkhNslMefRLf3h
uq+juAwccQkzjxvvF5W4pukSJr1+Rw7NviukpZT5RSusiKSmJjFLjQavKCFSFme/bR
u2zTCMEN1JUE5cLXKJV6aFfTl16HRXYimTNvI2pLGJijxku8zKaxrgQevQJM4v3EDX
vs+gtOhw9t3kJI6OJsmJJyifiBRadl0/D3WUpvqYKGGFyzFPb28zvsI+h/AAOmapbM
4WeE3vdYLb2Hg==
Which headers should be signed in DKIM?
Upvotes: 0
Views: 2285
Answers (2)
Reputation: 12402
There's no compelling reason not to: it wastes a few bytes, that's all. If you get more benefit than the cost then sign them.
Upvotes: 0
Reputation: 709
You can sign custom X- headers, but it's not required.
From http://dkim.org/specs/rfc4871-dkimbase.html#choosing-header-fields:
The following header fields SHOULD be included in the signature, if they are present in the message being signed:
From (REQUIRED in all signatures)
Subject
Date, Message-ID
To, Cc
MIME-Version
Content-Type, Content-Transfer-Encoding, Content-ID, Content-Description Resent-Date, Resent-From, Resent-Sender, Resent-To, Resent-Cc, Resent-Message-ID
In-Reply-To, References
List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post, List-Owner, List-Archive
The following header fields SHOULD NOT be included in the signature:
Return-Path
Received
Comments, Keywords
Bcc, Resent-Bcc
DKIM-Signature
Optional header fields (those not mentioned above) normally SHOULD NOT be included in the signature, because of the potential for additional header fields of the same name to be legitimately added or reordered prior to verification. There are likely to be legitimate exceptions to this rule, because of the wide variety of application-specific header fields that may be applied to a message, some of which are unlikely to be duplicated, modified, or reordered.
Upvotes: 2
Related Questions
- DKIM: To each their own or one to rule them all?
- An ambiguos part of DKIM specification about header hash
- DKIM with custom mail headers?
- Why does Yahoo! repeat headers in DKIM signatures?
- DKIM : Signature header exists but is not valid
- DKIM signing emails using Postfix with removed headers
- how to add more than one sign header to domain emails in opendkim
- DKIM signatures: headaches and problems galore
- using DKIM.NET to sign Emails
- Signing mails sent through SMTP with DKIM