Dave Crocker wrote:
For example, let's say that a receiver chooses either not to do the
NXDomain test or chooses to process the result differently than the
document specificies.
Exactly what terrible outcome does this produce?
It produces the outcome "unknown" for non-existent domains, that is
subject to misinterpretation.
It's more important when coupled with the parent domain check. If DKIM
has the parent domain check (the misleadingly named "tree walk" in
common parlance), referencing the parent domain's ADSP without checking
for the existence of either the parent or subdomain makes it impossible
to protect against the multilevel (a.b.c.d.e.example.com) attack.
-Jim
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html