Please explain how the policy record specifies that every
message will be signed with "q=dns" (as opposed to "q=xkms").
I cannot see this distinction in the draft. Has an
alternative policy specification mechanism been proposed?
The policy draft needs to be fixed in several ways. It must allow a
signer to tell verifiers what to expect. Telling verifiers the signature
algorithm, the key retrieval mechanism, the version of the signature
algorithm and the canonicalization mechanism are all essential if DKIM
is going to be both secure and upgradeable.