Stephen Farrell wrote:
If the above is possible, how should/can it be avoided?
Never ever sign anything that is already signed. Or at the
very minimum don't "drop" signatures.
It's the point of DKIM to find some "accountable" party as
near to the sender/originator/author (pick what you like)
as possible. Therefore step 2 in your scenario is strange.
Why does the list do this, because it manipulated Alice's
mail ? Then Bob's result in step 4 is correct, this mail
was "forged" (= the "list" might be some attacker, social
engineering abusing Alice's address).
If Alice and Bob insist on using a list that manipulates
mail they have to white list it. Or find a new list admin
with some clue to stop this abuse.
Step 4 means "DKIM working as designed", it's a feature
and no bug.
Bye, Frank
_______________________________________________
ietf-dkim mailing list
http://dkim.org