>I turn the old signature into an X-header, which strips it of its >power as far as machine validation goes, but leaves it available for >human debugging if desired.
An X-Header and a broken DKIM signature have exactly the same validation power: none. It doesn't hurt much (give or take Steve's note about debugging) but it also accomplishes nothing. >I really dislike leaving a no-longer-valid DKIM signature in place... You've made that clear, but that's not much of an argument about why it would be a good idea. Personally, I really dislike looking at DMARC policy on mail that doesn't already score as pretty spammy. R's, John _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
