Dave CROCKER wrote:
This begs the question: why bother to do the first validation; why
not simply wait and let whoever would have validated the first instead
validate the first?
If the only authentication method being applied at a site is DKIM or
other things that don't care about the path, that works. But that's a
big "if", and moreover means all consumers of authentication results
data must now learn all local path-agnostic methods being used to
The desire here is to secure arbitrary authentication results data
between the border MTA and the consuming MUA. DKIM is one way that
could be achieved, meaning the consumers need to learn one and only one
message authentication scheme in order to validate that one piece of
protected internal data.
NOTE WELL: This list operates according to