>When DKIM-Delegate is used, there are two, valid signatures for the same >domain. One is 'stronger'. > >The scenario being discussed is for a recipient who gets both signatures >when they are valid, but who does not know about DKIM-Delegate. They >only know about DKIM.
That's not a problem -- if it has both signatures it is presumably the real message and it doesn't matter which one the recipient uses. The problem is when the message arrives with only the weak signature. If the recipient doesn't know that the weak signature is supposed to be paired with a strong signature from the forwarder, it will treat the weak signature as a regular signature, which is, as I understand it, undesirable, since that likely means that the message has had its body replaced by a bad guy. Perhaps there are DKIM validators that look at the signature to decide how strong it is, but I don't think I've ever seen one. Either they pass or they fail. R's, John _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc