Hi, On 09.01.2026 20:07, Steffen Nurpmeso wrote:
Given that collected RFC 5863 "organizational trust" can be nothing but a volatile thing, any user could, and if by accident, when playing around, out of boredom or juvenile horniness, like creating a header with a base64ified image, for example porn (ok, there is Wikipedia with lots of images, and all that, but..), that is caught and hard cut by a spam checker, declassify the reputation of the entire domain?
I don't see how that differs from any other user-controllable input being signed. A spam checker of such poor quality would likely do so even without the headers being signed.
I think this fear is too hypothetical and conditional compared to the real-life attack vectors caused by current DKIMv1 implementations being too conservative with which headers they sign. Future iterations should at least not repeat past mistakes.
Best, Taavi _______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
