In section 6.2 "Get The Public Key, we have step #2 | 2. If the query for the public key fails to respond, the verifier | SHOULD defer acceptance of this email (normally this will be | achieved with a 451/4.7.5 SMTP reply code).
This assumes dynamic SMTP level operational (DATA call out) implementation. In my view, this is the ideal and the prefer mode of DKIM operation. But what about post SMTP/transport DKIM implementations? This requires mail acceptance and DNS query errors/rejections can promote bounce attacks. This dilemma also promotes unreliable mail delivery/notification practice (dropping mail rather than take chance bouncing mail as required by SMTP). This is a tough one, hence why there is the direction to do SMTP level operations since the response is established and the design resolves all SMTP technical (and legal) expectations. Nonetheless, DKIM, as a payload solution, there will be operations in post smtp modes too. So this needs to mentioned/addressed as well. -- Hector Santos, Santronics Software, Inc. http://www.santronics.com _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html