> If we can extract DKIM from the equation entirely and the problem > remains, how is it a DKIM problem?
But it doesn't. Absent a DKIM signature, nobody's making any assertions about incoming messages, and there's no reason to treat duplicate headers as anything beyond a software bug. With a valid DKIM signature from a credible signer, I would really like to be able to drop a message into the recipient's inbox without further processing. If I have to run it through spamassassin anyway to detect message mutations that DKIM doesn't, its utility is vastly less. We put a bunch of stuff in DKIM to allow benign modifications of messages, notably relaxed canoncalization. (We can argue about whether l= is useful, but it's easy enough to ignore if one thinks it isn't.) I think it's also reasonable to put stuff in to disallow malevolent modifications. I'm certainly not suggesting a full 5322 body cavity search, but I think reasonable checks would include checking for duplicates of headers that MUAs are likely to show, such as Subject, To, From, Sender, and Cc. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html