Oversign Emails' DKIM From, To, and CC headers
Oversign From, To, and CC headers – Most DKIM implementations always sign the From, To, and CC headers if they are present in an email, preventing them from being modified if the message is resent. However, if these headers are missing, they are often unsigned, opening the door to replay attacks with forged headers that make the fraudulent emails seem legitimate. Oversigning mitigates these attacks by signing these sensitive headers in all cases, even if they are blank. If you use Proton to send your email, this oversigning is done for you automatically by our mail servers.
Thank you for your idea! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
This is what OpenAI has to say about this issue:
To oversign the From, To, and CC headers in DKIM for outgoing emails in Postfix, you can make use of the OpenDKIM milter integration. Here's a general outline of the steps involved:
Install OpenDKIM: Begin by installing the OpenDKIM package on your Postfix server. The installation steps can vary depending on your operating system. For example, on Ubuntu, you can use the following command:
sudo apt-get install opendkim opendkim-tools
Generate DKIM Key: Generate a DKIM key pair using the opendkim-genkey tool. Replace example.com with your domain name:
opendkim-genkey -b 2048 -d example.com -s selector1
This will create two files: selector1.private (private key) and selector1.txt (DNS record).
Configure OpenDKIM: Open the OpenDKIM configuration file (/etc/opendkim.conf) and make the following changes:
Adjust the paths and selectors as per your key and configuration.
Configure Postfix: Edit the Postfix configuration file (/etc/postfix/main.cf) and add or modify the following lines:
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
These lines instruct Postfix to use the OpenDKIM milter on localhost port 8891.
Restart Services: Restart both Postfix and OpenDKIM to apply the changes:
sudo systemctl restart postfix
sudo systemctl restart opendkim
With these steps completed, Postfix will send outgoing emails to the OpenDKIM milter for DKIM signing. The OversignHeaders directive in the OpenDKIM configuration will ensure that the From, To, and CC headers are included in the DKIM signature, even if they are not present in the original message.
Make sure to test your setup and monitor the mail logs for any errors or issues. Adjust the configuration as needed for your specific environment and requirements.