The deployment guide section 6.5 writes:
Any forwarder that modifies messages in ways that will break
preexisting DKIM signatures SHOULD always sign its forwarded
messages.
However, there is no implication about forwarder signing restrictions
in section 6.5 which is possible in section 6.1 regarding ADSP
support. Simply put, there is deployment consistent guidelines
between the two sections:
- ADSP semantics in section 6.1
- Forwarder signing semantics in Section 6.5
In order to correct this, I propose the following draft text for
Section 6.5:
Before any forwarder attempts to modifies messages and add
a new signature to the message, it SHOULD look at the
ADSP record for the 5322.From domain. If the domain has
an ADSP record with "dkim=all" or "dkim=discardable", the
forwards SHOULD NOT forward the message.
Note: Forwarders who do not support ADSP should be aware
bounce mail may be result. For mailing list systems,
false subscriber removal notifications can occur when
subscribers MDA receivers are supporting ADSP.
See section 6.1 for ADSP support recommendations.
Note:
I am not locked in any the words or semantics above. Its just the
ideal and would be MORE than happy if someone else can better word it
that could be acceptable by others. My main goal is to highlight the
inconsistency in the deployment guideline in section 6.1 and section
6.5 regarding resigners ignorance of ADSP. Since the deployment guide
is yet to be an RFC, I am under the impression it might be the open
and the right place to get ADSP and Forwarder semantics.
--
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html