MH Michael Hammer (5304) wrote:
This is exactly why I said in the article:
"Some might assert that an organization should never DKIM sign a
non-existent message-id header. At this time it is not clear, at least
to me, that this is absolutely true. The implications of signing versus
not signing under these circumstances certainly merit a healthy
discussion before a verdict is reached."
I've seen little if any (systematic) discussion of the various cases
(for all headers) and how unsigned non-existent (at time of injection to
the mail stream or signing) might be abused at a later point. Most of
the discussion is about how things SHOULD function, not how they might
I agree. As I call it "protocol consistency". Simply put, we don't
have it here.
I think there were many discussions in the past when SSP was still
part of the picture. SSP is what sold DKIM to me and others. The
strong early emphasis and marketing presentation points wrt to SSP was
the deciding difference over DKEYS.
ADSP watered it down and since we no longer have a true champion of
policy based DKIM implementations speaking on our behalf, our voices
and concerns are ignored and stamped out.
I will say, if ADSP is not part of the picture, I will not bother with
DKIM. Maybe, if someone came with a DNS DKIM ZONE, that had only a
listing of domains with ALWAYS SIGN, but with nothing like this, pure
DKIM processing will be a waste of time.
I should of never gave up on DSAP (DKIM Signature Authorization
Protocol) and kept on it. I only did so after being told SSP would be
more considerate of the concerns outlined in DSAP. If I knew SSP was
going to be taken over by ADSP especially by someone who never
believed in POLICY to begin with, which made the whole process, well,
stink, no doubt I would had never given up on DSAP.
Oh well, as long as DKIM-BASE remains open and not locked down to
specific accessors and reputation trust services, then at least there
is still hope for new I-D and inventions to happen. Maybe then I will
introduce DSAP again.
While there might be some folks here that despise SPF, and even among
those who support it and know its not 100% perfect, it did prove one
The industry desire to accept the idea of a DOMAIN EMAIL
POLICY Discovery process solidified by the millions of domains
and receivers that support SPF.
There is no doubt about that.
NOTE WELL: This list operates according to