> One case I saw multiple times where DKIM fails while SPF verifies is when the > message contains a line starting with "from " which some agent changes to > ">from ". Some signing software eliminates such lines before signing, but > that's not in the spec, so one cannot say a signer is defective if it doesn't > do it.
Have you seen that happen in the MTA relay process (in transit), or only after final delivery? I can see that an MDA or a recipient MUA might do that, but it should *not* happen in transit, so it shouldn't affect DMARC processing. Do you have actual examples where an MTA is making that change and breaking the DKIM sig? I would be surprised, but, well, I've been surprised many times by what email software will do. > What I find nonsensical is to eliminate SPF in order to save DNS queries, > given > that we replaced local PSL lookups with a series of queries. We cannot do > that > and pretend that SPF is too expensive. Yes, I agree: the DNS query load is not one of the arguments I'm making. Barry _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
