On Mon, Feb 22, 2016 at 3:49 PM, Steve Atkins <st...@blighty.com> wrote: > >> On Feb 22, 2016, at 12:48 PM, Jim Popovitch <jim...@gmail.com> wrote: >> >> On Mon, Feb 22, 2016 at 1:46 PM, John Levine <jo...@taugh.com> wrote: >>>>> IMHO, Mailman should strip the existing DKIM header and Mailop.org should >>>>> sign anew. >>>> >>>> Yes! That is the perfect and proper way, despite some rants by less >>>> experienced mailinglist operators. >>> >>> Hi. I've been running mailing lists since the late 1970s and having >>> actually read the DKIM specs and written a fair amount of DKIM code, I >>> know that stripping signatures makes no difference unless someone's >>> mail filters are breathtakingly broken. >> >> But leaving the DKIM signatures provides what actual value with modern >> MLMs (i.e. not .forward files, etc.) ? > > The same value as most of the other trace headers - debugging problems > after the fact. "This mail was apparently DKIM signed when sent by the > original author" (probably) isn't terribly useful to automation, but it is for > human debugging.
I turn the old signature into an X-header, which strips it of its power as far as machine validation goes, but leaves it available for human debugging if desired. I really dislike leaving a no-longer-valid DKIM signature in place as is -- we'll see how ARC might change whether or not you might want to do that -- but today, if that signature is left intact it's going to fail when checked and I don't think you'd want to purposely set somebody up to deal with that. I just don't think it qualifies as a best practice. Al _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop