We'll been tracking the verification of DKIM/DOMAINKEY mail coming into our
system and as expected, I am seeing the testing tag, t=y, being used by
spammers.
I propose the addition of the following information note (edit as required,
I am just highlighting the issue).
3.6.1 Textual Representation
...
t= Flags, represented as a colon-separated list of names
(plain-text; OPTIONAL, default is no flags set). The
defined flags are:
y This domain is testing DKIM. Verifiers MUST NOT treat
messages from signers in testing mode differently from
unsigned email, even should the signature fail to verify.
Verifiers MAY wish to track testing mode results to assist
the signer.
INFORMATIVE IMPLEMENTATION NOTE: The testing flag has the
high potential of becoming a loophole for attacks with
a high degree of failure. Verifiers should consider a
tracking mechanism to limit the long term continued
usage of the t=y flag to bypass any verification scoring
and filtering employed by local policy.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html