> > Further, how does DKIM prove the message wasn't altered? To my knowledge, > > SPF proves the message came from a qualified server and DKIM proves the FQDN > > is a match. > > DKIM signs a hash of the canonicalized message body and the set of headers > specified in the signature. Modify the body or any of those headers, the > signature breaks.
Maybe DKIM verification should ignore list tags in the subject if the first attempt was unsuccesful. I.e. I could imagine a smarter canonicalization. Gabor -- "Spider-Pig, Spider-Pig Does whatever a Spider-Pig does. Can he swing from a web? No, he can't, he's a pig. Look out! He is a Spider-Pig."
