Mark Martinec wrote:
3. If the query for the public key fails because the corresponding
key record does not exist, the verifier MUST immediately return
PERMFAIL (no key for signature).
[...]
A verifier SHOULD NOT treat a message that has one or more bad
signatures and no good signatures differently from a message with no
signature at all; such treatment is a matter of local policy and is
beyond the scope of this document.
Just to be extra clear, PERMFAIL in this context is a verifier result --
just an inability to verify the signature. In order to satisfy the above
paragraph, this SHOULD NOT result in an SMTP PERMFAIL. This is different
from a verifier TEMPFAIL, which may result in an SMTP TEMPFAIL.
I think it is plain wrong and a bug if a verifier tempfails a message
on an authoritative DNS failure.
Agreed.
-Jim
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops