Re: [Ietf-dkim] X-Google-DKIM-Signature header field

Brandon Long <> Tue, 03 September 2019 23:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DA9E71208F0 for <>; Tue, 3 Sep 2019 16:38:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -17.499
X-Spam-Status: No, score=-17.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id i9AyxT1fuzVZ for <>; Tue, 3 Sep 2019 16:37:59 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::a35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0BE131208F1 for <>; Tue, 3 Sep 2019 16:37:59 -0700 (PDT)
Received: by with SMTP id b204so3974138vka.7 for <>; Tue, 03 Sep 2019 16:37:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ho05YM7ziiyj+4ZOZqskjB1P5uPrKQZwJnUdIYTftQg=; b=J4hx5U6NRzw5HJt7XSlv6OM7/0mtNmaQonBhMTeKKsqU5uhSlZ8/0RqtdnIriTb68r BC1a0/0AuxnUtpMJbY2ynBmyVOh749HMCzCiAWKwGN5YxVicGOsecpdpG9iSH3QTW8Op OoRM/63tAuCGLNBOeng0shrZJsTgs2PbXrn/ORzfwjrCc/CNS/7ij3YfIpEMrwuYXh6v xE/haJx6DUKoBPPtEJW8EmC+/zohMXclgv7mZ0h6iCc07V+CMlXGivHEUsA9BSA0MTSp 2DreRiVx2lrEAfkjdegTLNEB03vz1bDaibqLGImSB+Fup/mrS9gjPUKnVkuP0Hu/PDoR tSOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ho05YM7ziiyj+4ZOZqskjB1P5uPrKQZwJnUdIYTftQg=; b=bu7o4AKiUEehSZDA5SLQHy+uXTMmyNnzB3DxoVA6kZ92gwjlao26M8vX5MIVPyjKDg DPwL5057KbyYbxuzlbsLNJeuF9sbTujdxYh0s4z/Xs0SCcGEosbj+CLtHJzvCEzDgGCU eX7jAdkg2uR3EmqCCwhU29QZ3riYcpaCI5VFaT3ED3Xuwx30mmmPldINy5V0YlewzTqr GU26g8T8cWfA0sf5UWs6ymOvGmmwnLY5tKtwflP/05mL3U3R71IRilF1VPDFKO46ZMr8 LN6XW9y5sV+7j0j/SrypjiW8GpR2MzLk7XQjNgEvIBRmD9XQEernj9cW8KQh/KuCRTeY Ml4g==
X-Gm-Message-State: APjAAAUKjtRzeNQepCb3UsHj1X052NeJ7eA2ot85LD2s+4aLnxBsB+VD 3V4Mpvcr69sTUqZ5B/HHUxmXsyJup4oda4D1wx2QjEU=
X-Google-Smtp-Source: APXvYqy2Eo91q1kUyYbxQV7n3wLofuoiUQ7tMGCqYj878RXs768X9puDda8XDSJpHAgZaYFE3n1WBggU8eL6G5t20z0=
X-Received: by 2002:a1f:1486:: with SMTP id 128mr18533278vku.40.1567553877230; Tue, 03 Sep 2019 16:37:57 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Brandon Long <>
Date: Tue, 3 Sep 2019 16:37:46 -0700
Message-ID: <>
To: Jim Fenton <>
Content-Type: multipart/alternative; boundary="0000000000000544300591ae9434"
Archived-At: <>
Subject: Re: [Ietf-dkim] X-Google-DKIM-Signature header field
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DKIM List <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 03 Sep 2019 23:38:14 -0000

The purpose of the XGDS signature is so that we can assert that it came
from us, and is used as validation on some of the other fields that we add
and that
are signed by that field and that the contents of the message haven't
changed.   One could probably figure out how to verify it since it re-used
the standard dkim libraries.

We don't want to take "ownership" of the message in the reputation sense,
hence the reason it's not a regular DKIM signature, nor do we want to deal
with any pushback from mail admins because some random places they mail on
the internet refuse messages when DKIM signatures are broken (in
contravention of the spec, yes).

It's also not or any other domain ever used for sending mail so
that any reputation or anything else people figure on this isn't applied

Ie, it's not uncommon for various providers to add a chunk of usually
base64 encoded data to headers these days, this signature is there for our
chunk when we require it to only apply to uncorrupted original messages.
Well, we probably wouldn't care for "normal" modifications, but it was
added pre-ARC and the loss of usage for cases where messages are harmlessly
modified is fine.  In fact, one of the use cases is for the
X-Original-Authentication-Results (XOAR) header which was a precursor to
ARC, a kind of one-hop ARC.


On Tue, Aug 27, 2019 at 2:55 PM Jim Fenton <> wrote:

> [resending because I needed to correct subscription address. Apologies
> for duplicate if the moderator approves the original.]
> I recently got a "welcome" message from a mailing list
> that is apparently hosted on Google infrastructure. I notice it wasn't
> DKIM signed, but did have a X-Google-DKIM-Signature header field that
> looked like a normal DKIM signature with (one of Google's
> many domains). Apparently Google doesn't intend that I rely on this
> signature for anything, but does anyone know why they aren't applying a
> normal DKIM signature from here?
> -Jim
> _______________________________________________
> Ietf-dkim mailing list