>But it wasn't. The FUD was actually increased, because the DKIM-Signature >that was added doesn't cover the Authentication-Results header.
Chaining signatures with Authentication-Results is unlikely to work, since with two or more levels of chaining, there is no reliable way to tell which A-R header goes with which signature. But since it is a Fundamentally Bad Idea, it doesn't matter, and there is no security issue to fix. If a message has one good signature and a bunch of broken signatures, as will generally be the case here, you ignore the broken ones and use the good one to evaluate the message. Everybody I know filters list mail based on the identity of the list, not the identity of the contributors, they have ever since there has been mail filtering, and there is no reason to expect that to change in the future. I am baffled that people have wasted so much effort on broken non-solutions to a non-existent problem. A-R can be useful in some very narrow circumstances, where the channel between the agent that applies the header and the agent that uses it is secure. The most likely setup is that it's applied as the message is dropped into a mailbox on a server, and it's used by a MUA or local filtering proxy that picks up the message via POP or IMAP. R's, John _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html