DKIM: Don't oversign missing Resent-*: headers by default

peterthomassen · peterthomassen · commit 0b39e7f293fe · 2025-07-24T17:16:39.000+02:00
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
@@ -42613,24 +42613,27 @@ If set, this option must expand to a colon-separated
 list of header names.
 Headers with these names, or the absence of such a header, will be included
 in the message signature.
+
+A name can be prefixed with either an &"="& or a &"+"& character.
+If an &"="& prefix is used, all headers that are present with this name
+will be signed.
+If a &"+"& prefix if used, all headers that are present with this name
+will be signed, and one signature added for a missing header with the
+name will be appended.
+
 When unspecified, the header names listed in
 &url(https://www.rfc-editor.org/rfc/rfc4871,RFC 4871) will be used,
-whether or not each header is present in the message.
+with Resent-*: headers prefixed with &"="& so they are signed only
+when present (allowing forwarders to add them).
+The other headers listed are used whether or not they are present in the message.
 The default list is available for the expansion in the macro
 &"_DKIM_SIGN_HEADERS"&
-and an oversigning variant is in &"_DKIM_OVERSIGN_HEADERS"&.
+and a variant oversigning all listed headers is in &"_DKIM_OVERSIGN_HEADERS"&.
 
 If a name is repeated, multiple headers by that name (or the absence thereof)
 will be signed.  The textually later headers in the headers part of the
 message are signed first, if there are multiples.
 
-A name can be prefixed with either an &"="& or a &"+"& character.
-If an &"="& prefix is used, all headers that are present with this name
-will be signed.
-If a &"+"& prefix if used, all headers that are present with this name
-will be signed, and one signature added for a missing header with the
-name will be appended.
-
 .option dkim_timestamps smtp integer&!! unset
 This option controls the inclusion of timestamp information in the signature.
 If not set, no such information will be included.
diff --git a/src/src/miscmods/pdkim/pdkim.h b/src/src/miscmods/pdkim/pdkim.h
@@ -30,9 +30,9 @@
 #define PDKIM_DEFAULT_SIGN_HEADERS "From:Sender:Reply-To:Subject:Date:"\
                              "Message-ID:To:Cc:MIME-Version:Content-Type:"\
                              "Content-Transfer-Encoding:Content-ID:"\
-                             "Content-Description:Resent-Date:Resent-From:"\
-                             "Resent-Sender:Resent-To:Resent-Cc:"\
-                             "Resent-Message-ID:In-Reply-To:References:"\
+                             "Content-Description:=Resent-Date:=Resent-From:"\
+                             "=Resent-Sender:=Resent-To:=Resent-Cc:"\
+                             "=Resent-Message-ID:In-Reply-To:References:"\
                              "List-Id:List-Help:List-Unsubscribe:"\
                              "List-Subscribe:List-Post:List-Owner:List-Archive"
 
