Barry Leiba wrote:
That said, I'm inclined to agree with Mike T that input from the
reputation target is suspicious, so it's not clear how much value it
will have nor whether it might be gamed (by the reputation target) or
hacked (by someone wanting to hurt the target's reputation).
It shouldn't matter what t=y is or not, where the final result came
from, technical or reputation. Unless there is a strong exclusive
policy involved based on ADSP or some FUTURE REP-POLICY idea saying;
ADSP: This mail must be signed.
REP-POLICY: This mail must be a good reputation.
The bad guy does not need to give any sort of signature or rep hints
in the mail, and the mail is accepted anyway (or passes this test).
At the very least, with ADSP we have the Author-Domain anchor always
available to do policy test, but for reputation its dependency on a
signer-domain, there is no technical possibility to get that
information. So you need a signature (valid or not) for reputation in
order for it to even work.
Anyway, for t=y, verifiers SHOULD NOT treat testers any different from
production mode signers. I think that is what is the intent now is
for the current DKIM text, if not, it should be clarified.
NOTE WELL: This list operates according to