Add ARC signing caveats

author: Phil Pennock <pdp@exim.org> 2018-03-26 12:24:48 -0400
committer: Phil Pennock <pdp@exim.org> 2018-03-26 12:24:48 -0400
commit: afcdd656bff655cd2d65bc0db39fd0667b55d6ce (patch)
tree: 4dcbb7e6165e5141b9f1e1a5d3acc861b2fb85b5 /doc/doc-txt
parent: 8f0776b59c787a5359599f552d6aa7270c66bad3 (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index 1a0ece574..4be142e66 100644
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -806,6 +806,20 @@ is used as a basis (you must have added one on entry to the ADMD).
 Expanded as a whole; if unset, empty or forced-failure then no signing is done.
 If it is set, all three elements must be non-empty.
 
+Caveats:
+ * There must be an Authentication-Results header, presumably added by an ACL
+   while receiving the message, for the same ADMD, for arc_sign to succeed.
+   This requires careful coordination between inbound and outbound logic.
+ * If passing a message to another system, such as a mailing-list manager
+   (MLM), between receipt and sending, be wary of manipulations to headers made
+   by the MLM.
+   + For instance, Mailman with REMOVE_DKIM_HEADERS==3 might improve
+     deliverability in a pre-ARC world, but that option also renames the
+     Authentication-Results header, which breaks signing.
+ * Even if you use multiple DKIM keys for different domains, the ARC concept
+   should try to stick to one ADMD, so pick a primary domain and use that for
+   AR headers and outbound signing.
+
 
 
 --------------------------------------------------------------
author	Phil Pennock <pdp@exim.org>	2018-03-26 12:24:48 -0400
committer	Phil Pennock <pdp@exim.org>	2018-03-26 12:24:48 -0400
commit	afcdd656bff655cd2d65bc0db39fd0667b55d6ce (patch)
tree	4dcbb7e6165e5141b9f1e1a5d3acc861b2fb85b5 /doc/doc-txt
parent	8f0776b59c787a5359599f552d6aa7270c66bad3 (diff)