As most of you already know, the DCRUP working group is adding a new signature algorithm to DKIM. I have been sending dual rsa-sha256/ed25519-sha256 signed mail for some time and I have notice an oddity in DMARC reporting.
Typically, I'll see something like this XML snippet: <auth_results> <dkim> <domain>kitterman.com</domain> <result>pass</result> <selector>201803r</selector> </dkim> <dkim> <domain>kitterman.com</domain> <result>fail</result> <selector>201803e</selector> </dkim> The first one is the rsa-sha256 signature and the second, marked fail, is the ed25519-sha256 signature (I can tell based on the selector). In all cases I've checked, the correct (DMARC pass) result was obtained, but I don't think this is the best way to report it. RFC 6376 says: > 3.3.4. Other Algorithms > > Other algorithms MAY be defined in the future. Verifiers MUST ignore > any signatures using algorithms that they do not implement. I'm not sure reporting a failure is consistent with "MUST ignore". In any case, I think it would be useful to distinguish between DKIM evaluation failed and not evaluated due to unknown algorithm in DMARC reporting. Scott K _______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)