On 23/09/2025 1:36 pm, John Levine wrote:
Or if you really want the MUA to be able to check the signature, something that people keep claiming is useful but I have not seen in practice, the MDA adds another signature describing what it did.
We claim it's useful because it is. Such use is also in line with the original stated purpose of DKIM, which along with defining MUAs as both potential signers and verifiers, explicitly states that it is expected that Verifiers will be close to an end user (reader).
Client-side, the DKIM-Signature is the most expedient method to identify malicious content. Even where DKIM passes, this is often signed by a third-party and the signing domain immediately identifies where to send abuse complaints to, with absolute certainty of origin. I also use this information for legal purposes, including the full subset of DKIM-signed headers in copies of e-mails supplied as supporting evidence. A header describing what the MDA did is not a substitute that will withstand scrutiny.
DKIM has, wrongly, become seen as a necessity to deliver e-mail, not as a mechanism to verify its integrity which it set out to be. Moves to further entrench DKIM in the realm of SMTP to SMTP verification, at the will of receivers, are a step in the wrong direction.
Regards, R. Latimer Inveigle.net _______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
