And you thought this list was dead. I was asked to consult recently on some DKIM questions raised by a customer of a former employer. The questions involved the meaning of "t=" in DKIM keys and the text in RFC6376. The focus of this tag has always been, to the best of my recollection, the notion that "We're only testing DKIM, so please don't punish this mail if the signature fails to verify." We nearly deleted this during the Draft Standard update because that's effectively the same advice we give to failed signatures in general, making "t=y" pretty much meaningless. The only interesting thing we say about it now is that if a verifier wants to be extra helpful, it could collect extra information about failed signatures referencing "t=y" keys to help the signer figure out what went wrong.
That customer brought up an interesting point. "t=y" could also be useful for messages whose signatures do verify. Specifically, it could be used by a signer to say "It's possible this message shouldn't have been signed by us. Please don't give it any preferential treatment based on our name's reputation if the signature verifies, which could then tarnish our reputation." Unlike the verification failure case, I don't think this has any practical use by an attacker because it's explicitly declining any special positive treatment. That means it's actually useful in the success case. Any comments about this? I talked to Dave last week as we happened to be at the same event, and he thought this warranted a new erratum against RFC6376. I've opened a ticket to arrange that "t=y" suppresses any positive impact domain reputation has in the next version of OpenDKIM, as an experiment. -MSK
_______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html