When to sign?
The decision when to sign outgoing emails is also influenced by other aspects. A signature gives testimony about the state of a message at the time it is being signed. If the email is subsequently altered, the signature is no longer valid. That is the way manipulations are detected. If the mail system itself makes changes to the message after the server has signed it, the email that is sent out has been manipulated and is, therefore, invalid. One example is the footer usually attached to outgoing emails by mailing list managers. The initial solution to this problem is to add the signature as late as possible – after all the other components of the mail system have processed the message and no further changes to the message header or body are to be expected.
A different approach involves creating a signature which won't be invalidated by certain modifications. A DKIM signature can be designed to only sign a certain part of the body. This way, a mailing list can attach its footer without scrambling the signature. This level of tolerance, however, also leaves the message open for abuse: The footer can subsequently be replaced by an unwanted message; additional HTML elements can overlap and hide the signed text completely, and added attachments can prompt recipients to double click. The architects of the DKIM RFC therefore explicitly discourage the use of length values within signatures.
A safe method would be to restrict the signature to a certain length in the sender's email and then generate another signature for the complete email after it has been handled by the mailing list manager. Each of the signatures is valid in itself, and a manipulation could be detected before the postmaster has to go and see an ENT specialist because a colleague phoned in to express in no uncertain terms just how much he detests signed spam. The verifying program incidentally determines the signature processing order by the order in which they are inserted. This is possible because the RFC requires the signing instance to always place its DKIM signature at the top of the email. A double signature, however, only makes sense when the various components of a mail system work completely independently of each other.
Usually it is enough to apply one single signature across the whole length of the message as late as possible. The system described here is set up to work this way. With all the preliminary considerations out of the way, the postmaster can now start setting up the system. The first thing to do is create the signature key. The public part of the key goes into the DNS server to be retrieved by remote verifiers. The private part of the key is given to the dkim-milter signature program, which is integrated into the SMTP server using the Sendmail milter (mail filter) protocol. Finally, the signature verification must be activated and suitable message handling rules must be defined in SpamAssassin using the Mail::DKIM Perl module.
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
