verify of subdomain fails even if the signature doesn't have t=s flag

[falon]

• I sign a mail with From: me@subdomain.example.com
• dkim_verifier is configured to allow subdomains in SDID
• The public key is for d=example.com, but it doesn't have any t tlag, so subdomain signing is allowed.

But dkim_verifier claims that the From is not in domain of SDID. Is it correct to show this warn, even if the three points above are true?

[lieser]

• dkim_verifier is configured to allow subdomains in SDID

This option only applies to sign rules with a SDID specified. Even then, it is only changing the behavior of the comparison of the two SDIDs (the on specified in the sign rule and the actual one from the signature).

• The public key is for d=example.com, but it doesn't have any t tlag, so subdomain signing is allowed.

This flag is about the relationship between the SDID and AUID, not the From-header. See RFC 6376 section 3.10 for details.

If there is no matching sign rule, the From is compared with the SDID. From is always allowed to be from a subdomain of the SDID. The other way around, the SDID being a subdomain from the From-domain is not allowed. If the test fails, the "From is not in Signing Domain" (DKIM_SIGWARNING_FROM_NOT_IN_SDID) warning is shown. If the above test succeeds, From is then compared with the AUID. In this case, unlike above, the From-domain must be in exactly the same domain as the AUID-domain. If the test fails, the "From does not match User Identifier" (DKIM_SIGWARNING_FROM_NOT_IN_AUID) warning is shown.

Note that the comparison of the SDID/AUID with the From-header is not something the RFC specifies. It is rather a custom Policy enforced by the add-on.

Are you really seeing the "From is not in Signing Domain" warning and not the "From does not match User Identifier" warning? If so, it would help if I you could sent me an e-mail with this problem as a saved .eml file to dkim.verifier.addon@gmail.com so I can reproduce it myself.

If you are seeing the "From does not match User Identifier" warning, this is expected behavior as long as you have no AUID (i-tag) in the signature. The default AUID is @<SDID>. If you are the signer, you could consider to including an AUID. Note, that as stated above, this warning is only a custom Policy from by add-on, and not a violation of the RFC, To suppress this warning in the add-on, you could add a custom signing rule. I could also add a option to disable the comparison of the AUID and From address.

[falon]

I'm sorry, I see the "From does not match User Identifier" warning. I've just reconfigured opendkim to set the "i=" flag as well, and your dkim_verifier works perfectly.

I thank you very much for your accurate reply and I apologize for my misunderstanding.