On Sun, Aug 13, 2023 at 8:34 PM Jesse Thompson <z...@fastmail.com> wrote:
> If I understand based on my limited view of history, DKIM was designed for > authentication between two hops. Signature survival across intermediaries > was only achievable by encouraging intermediaries to not make any changes > to the message "inside the envelope" such as standards-allowed MIME > re-encoding (which, notably, prevents intermediaries from improving MIME > interoperability) > That's not how I recall it. DKIM was designed to attach, with cryptographic protection, the domain name of a handling agent to the message. There's no expectation that the agent doing so asserts anything about the content of the message (i.e., "this is not spam"), nor is there any expectation that the domain signing it is the domain originating it. There's no constraint about which agent (receiver or intermediary) attempts to validate it. Also, there are numerous things that can happen to a message en route that could invalidate a signature. Accordingly, the only thing you know when you see a message whose signature validates is that it has not been modified since the signer signed it. The absence of a valid signature (or even of an invalid one) isn't indicative of anything. -MSK, participating
_______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim