go-msgauth icon indicating copy to clipboard operation
go-msgauth copied to clipboard

Published 20 hours ago verified publisher icon emersion

dkim: consider setting a default MaxVerifications

Open emersion opened this issue 4 years ago • 2 comments

We'll probably want to expose a DefaultVerifyOptions variable to allow users to easily customize the defaults (e.g. keeping the default MaxVerifications but change the default LookupTXT).

emersion avatar Oct 14 '20 15:10 emersion

The amount of signatures attached to the message is directly related to the amount of servers that processed it. I believe allowing up to 15 signatures per message is a reasonably safe bet.

foxcpp avatar Oct 14 '20 16:10 foxcpp

The amount of signatures attached to the message is directly related to the amount of servers that processed it.

I don't think so. Only authoritative servers should sign the message (ie. servers which have control over the sender's domain name). Intermediary servers (e.g. mailing lists) shouldn't.

So only a single server in the chain should sign the message. Note that allowing multiple signatures is still useful to allow cryptographic primitives to be gradually deployed (e.g. having messages double-signed with both RSA and ECDSA).

FWIW, OpenDKIM's default is 3.

emersion avatar Oct 15 '20 13:10 emersion