search

emersion / go-msgauth

🔏 A Go library and tools for DKIM, DMARC and Authentication-Results
MIT License
170 stars 52 forks source link

dkim: consider setting a default MaxVerifications #35

Open emersion opened 3 years ago

emersion commented 3 years ago

We'll probably want to expose a DefaultVerifyOptions variable to allow users to easily customize the defaults (e.g. keeping the default MaxVerifications but change the default LookupTXT).

foxcpp commented 3 years ago

The amount of signatures attached to the message is directly related to the amount of servers that processed it. I believe allowing up to 15 signatures per message is a reasonably safe bet.

emersion commented 3 years ago

The amount of signatures attached to the message is directly related to the amount of servers that processed it.

I don't think so. Only authoritative servers should sign the message (ie. servers which have control over the sender's domain name). Intermediary servers (e.g. mailing lists) shouldn't.

So only a single server in the chain should sign the message. Note that allowing multiple signatures is still useful to allow cryptographic primitives to be gradually deployed (e.g. having messages double-signed with both RSA and ECDSA).

FWIW, OpenDKIM's default is 3.