rfc4871bis-02 Introduction:
,---
...
DKIM:
o is compatible with the existing email infrastructure and
transparent to the fullest extent possible;
o requires minimal new infrastructure;
o can be implemented independently of clients in order to reduce
deployment time;
o can be deployed incrementally;
o allows delegation of signing to third parties.
...
'---
DKIM establishes additional trust based upon a signature's domain, where
DKIM MUST protect use of this trust without assuming changes will be
made to existing email infrastructure. Some have suggested new
mail-filtering should be added to MUAs, MTAs, and other mail agents to
prevent exploits of DKIM trust allowed by DKIM's verification having
neglected essential checks for multiple singleton header fields.
Once one DKIM verification vendor includes these necessary checks that
suppress DKIM PASS, and another vendor does not, DKIM implementations
are no longer compatible. IMHO, this represents a DKIM protocol failure
to properly define elements that MUST BE checked to qualify a DKIM PASS
verification result. The DKIM protocol may require future updates as
new exploits are discovered, or a significant design goal will have been
lost.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html