Either the message has a valid DKIM signature, or it does not. If the signature is valid, then the signing domain takes responsibility for the message, subtly malformed or not. Just because the message lacks a Date: header or has bare linefeeds doesn't mean that the signing domain isn't responsible for it.
Recall that the original question was about a valid message with a valid signature, which the attacker mutated by adding an extra header that makes it an invalid message with a signature that still mechanically verifies. Who's responsible for it now?
Is it DKIM's job to make the verification fail, or is it an MUA's job to do something reasonable with malformed messages?
R's, John
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html