If it was signed with an algorithm you couldn't verify, you know that,
If the signature was broken, you know that (but not why it was broken).
All those situations are to be classified as 'unsigned' (but more detailed
information is available to you if you want to use it).
I would really like a security analysis of this paragraph. In
particular, how do you tell a valid signature with an algorithm you
couldn't verify from a spammer's forged header that happens to look
like a signature? You can't. DKIM doesn't have signatures that
"almost" or "sort of" verify. Either they verify or they don't.
With that in mind, of what use to a receiver is a policy statement
that depends on a header that is trivially forged by any bad guy?
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet
for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, Mayor
"More Wiener schnitzel, please", said Tom, revealingly.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html