On Wed, 20 Aug 2025, Murray S. Kucherawy wrote:
I have to find the specific sections, but I recall RFC 6376 talking about why client verification of signatures is not a great idea. Keys rotate, for example, so long-term signature validation is not guaranteed to be reliable. People who were around in the RFC 4871 days may remember other reasons why the general position was that this wasn't something worth pursuing.
Client signing was clearly out of the question since there's no reasonable way to manage the signing keys, so if they're not going to sign it makes sense for them not to verify either.
Also, by that point we had realized that spam filtering works a lot better in the MTA than in the MUA. It can look at lots of mail at once, not just mail to one user, and have shared dynamically updated criteria. You can still have per-user criteria, but they're applied in the MTA so, among other things, all of the user's MUAs see the same results.
If you want to check a DKIM signature in your MUA you can, but I don't think it's useful in practice. I have a little DKIM validator script I can tell Alpine to run messages through but I only use it for debugging.
R's, John _______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
