The presence of a header field that is signed does not guarantee that it
was placed there by the signer, merely that it was present when the
message was signed. It therefore does not provide a mechanism for
verifying that the requested destination address is authoritative for
the domain.
Oops. Right. I keep raising the same point about whether contents are
validated by DKIM. Sigh.
So, there's a Pandora's box that this raises, which is how to use DKIM
in a way that has the semantics of claiming that bits of contents are
in fact valid?
Correct, which is why I prefer it out of band for this effort.
Also, this is a policy statement by the domain. Their policy is that
automated abuse reports should be sent to a specific address. My
understanding of the current model for stating domain policy (as with
ADSP) is a published record that can be queried.
I don't recall that ADSP is meant to lay claim to the entire space of
such declarations. So the precedent that it does some of it ought not
to dictate the 'venue' for communicating the next bit; that decision
ought to hinge on whatever semantics, efficiency and validity issues
apply.
Fair enough. I feel that the model fits the circumstances of this issue
well enough, but I'm open to debate if anyone has a good argument for a
different model.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html