John Levine wrote:
What is the current recommended method to establish or expose that a
DOMAIN should not be signed, is not expected to be signed and that any
DKIM supportive receiver seeing a message with a signature from a
purported domain should be rejected with full confidence?
That's easy: don't publish any key records. If a verifier tries to
look up a key record for a signature that doesn't exist, it should get
the hint.
So this is obvious fraud.
NO KEY means its not possible to sign. Therefore any signature
in the message, means its a fraud, a fake.
Ok, makes sense.
By design, a broken signature is equivalent to no signature.
Yeah, that RFC 4871 anomaly "Failure Promotion to no signature" always
did baffled me. Its like getting away with murder because police
procedure was not followed.
--
Sincerely
Hector Santos
http://www.santronics.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html