What happens with duplicate substitute headers?

Gary Mills mills@cc.umanitoba.ca
Thu Mar 18 13:12:14 UTC 2010

We've been using dkim-milter-2.4.0 for some time to validate DKIM
signatures in e-mail messages.  Sendmail adds a header like this:

    Authentication-Results: electra.cc.umanitoba.ca; dkim=pass (512-bit key) header.i=@facebookmail.com

I use Authentication-Results as a substitute header so that DCC will
compute checksums for this header.  This technique works very nicely
for whitelisting of messages where the source is known to be free of

We've had a problem recently with phishing e-mail that forges
order-update@amazon.com as the sender.  I hoped to apply the same
technique, but Amazon is only using the older DomainKeys signing
method.  Fortunately, dkim-milter can validate both, so I built
dkim-milter-2.8.3 with libdk included.  For a message signed by both
methods, sendmail now adds two headers, like this:

    Authentication-Results: setup01.cc.umanitoba.ca; domainkeys=pass (testing) header.from=sa-test@sendmail.net
    Authentication-Results: setup01.cc.umanitoba.ca; dkim=pass (1024-bit key)
            header.i=@sendmail.net; x-dkim-adsp=none

The second one has a newline and a tab between the two lines.  I assume
that DCC will rejoin these lines somehow, but what do I specify as the
substitute header.  As well, they've changed the format of the header,
breaking all the checksums.  I'd have to re-list them all.

More importantly, what is DCC going to do with the duplicate header
field names?  Will it just compute two checksums?  In that case, I
suppose it will all work.

-Gary Mills-        -Unix Group-        -Computer and Network Services-

More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.