General information on Exclusive Signing
KBA-01738
Summary
First, some definitions to familiarize yourself with:
EXCLUSIVE (o=!) means I want DKIM verifiers to know that they can expect a verifiable signature from me anytime my domain appears in a FROM header (no exceptions).
MUNGER means a piece of software that will invalidate a signed message due to alteration or signature removal.
GOLDEN RULE is this: 'an invalid crypto signature is the same as it if wasn't there at all.'
-----
An EXCLUSIVE policy is obviously the most secure that you could use. But, it presents problems. When you send a signed message to a MUNGER your signature is invalidated (or even stripped out completely) thereby triggering the GOLDEN RULE. This means that there could be messages with your domain in the FROM that are, for practical purposes, unsigned. Therefore you must use an EXCLUSIVE policy with care. In the ideal world all MUNGERS would become 'crypto aware' and not alter digitally signed mail but this is going to take a decade to achieve. This is a topic we are working on in IETF right now and there's no magic bullet. The best advice I have is that if you want to use EXCLUSIVE be sure to send traffic to known MUNGERs (such as mailing lists) using a sub-domain which has a more relaxed policy. That way you can have the EXCLUSIVE security you want on, for example, altn.com but have a more relaxed stance on mail from, for example, list-users.altn.com.
MDaemon:
MDaemon is a NOTORIOUS MUNGER (this needs a separate definition all its own). MDaemon will alter messages in all manner of crypto-unfriendly ways especially in the list code. Changing this is not likely to occur in the short term and even if I did it in MDaemon, I can't compensate for other mail servers.
Comments
last updated 3-28-2007