Douglas Otis wrote:
DKIM is a security mechanism. Negligence can not be escaped blaming the
underlying protocol since it does not make any additional assurances of
trust. That is clearly the role accepted by DKIM for good or for evil.
DKIM becomes very simple to understand, enlightening and incredibly
very mind smoothing when you completely remove from your mind security.
DKIM (RFC4872bis) is an intermediate signer trust mechanism for
authenticated messages. There is no certifiable trust in the
self-signed signature. Anything beyond that is out of scope.
What are the outputs?
There are arguably (maybe not) only two outputs at the DKIM level; The
signature validity status and the signer identity. Anything beyond
that is out of scope.
Since a valid signature signer identity MUST be communicated to an
independent trust assessment service or a local policy trust table,
arguably (maybe not), the third final or ultimate output is the trust
status. Anything beyond that is out of scope.
NOTE WELL: This list operates according to