The List-Unsubscribe header works very well with Domain Keys and DKIM. By placing the List-Unsubscribe header within the signed portion of the headers and message, receivers can be sure that the header is legitimate and has not been modified or falsified. As an additional safeguard, receivers might choose to only recognize List-Unsubscribe URLs whose domain name match the authenticated domain.
In this standard example, the List-Unsubscribe header is signed within the DomainKey signature and the URL within matches the domain that has been authenticated.
Domainkey-Signature: q=dns; d=EASE.LSOFT.COM; s=BETA1; c=nofws; h=Date:From:Subject:To:List-Unsubscribe; b=aetHboV7ctf903C4WKjpd4pfNe9PUOmErrfCwktSe7fdrc4c7H4FpGSSF2YUfYoeUEoHRxznKMia5rHTJL2Pah0t6WTCPirnyhzA3rJUz2ZxJH++Y75owoqrK4nzSM8D;
From: LISTSERV@PEACH.EASE.LSOFT.COM
Subject: SPAM-L Digest - 26 Aug 2006 to 27 Aug 2006 (#2006-245)
Date: August 27, 2006 10:00:19 PM CDT
To: SPAM-L@PEACH.EASE.LSOFT.COM
List-Unsubscribe: <mailto:SPAM-L-unsubscribe-request@PEACH.EASE.LSOFT.COM>
This List-Unsubscribe header is suspicious because it is not within the DKIM signature and goes to a different domain than the one that is authenticated.
List-Unsubscribe: <mailto:SPAM-L-unsubscribe-request@PEACH.EASE.ZSOFT.COM>
Domainkey-Signature: q=dns; d=EASE.LSOFT.COM; s=BETA1; c=nofws; h=Date:From:Subject:To:; b=aetHboV7ctf903C4WKjpd4pfNe9PUOmErrfCwktSe7fdrc4c7H4FpGSSF2YUfYoeUEoHRxznKMia5rHTJL2Pah0t6WTCPirnyhzA3rJUz2ZxJH++Y75owoqrK4nzSM8D;
From: LISTSERV@PEACH.EASE.LSOFT.COM
Subject: SPAM-L Digest - 26 Aug 2006 to 27 Aug 2006 (#2006-245)
Date: August 27, 2006 10:00:19 PM CDT
To: SPAM-L@PEACH.EASE.LSOFT.COM
Comments