> > > The DKIM RFC > https://datatracker.ietf.org/doc/html/rfc6376#section-8.2 > tells us that it is not safe to rely on the DKIM length (l=) tag > and > https://www.zone.eu/blog/2024/05/17/bimi-and-dmarc-cant-save-you/ > shows how it can be used to subvert BIMI*. > > I am looking at extending Mail::SpamAssassin::Plugin::DKIM to indicate > when a DKIM body signature only covers part of the message body > and how much of the body is unsigned (bytes, percentage or possibly > both). > > I am new to the spamassassin code, so any comments or suggetions would be > welcome. > > * I am not a fan of BIMI, but big name players appear to be using > it to display "trustable" logos on GUI mail clients, so users *will* > be caught when it breaks. >
Hi Andrew, this is a bit of topic, I posted this a while ago on the mailing list. But did you notice by any chance that eg. hotmail.com is failing every dkim verification (except their sender rewritten messages)?
