On Jun 3, 2009, at 9:13 AM, Murray S. Kucherawy wrote:
WTF is the point of inserting an A-R header if you are not willing
to take responsibility for what you have done by signing it?
And why should anyone else believe your A-R if you have omitted
that elementary step?
Because, if you've followed the RFC defining it, the border MTA has
removed any others present that could possibly be misinterpreted by
internal agents.
You're not required to sign them, but it's not a bad idea.
ISPs seem unlikely sign incoming messages because they include their A-
R headers. A-R headers are expected to be removed at border MTAs, so
when forwarding, signatures intended to protect A-R headers will
normally become invalid. One would not be able to tell whether these
signature were being spoofed by the ISPs outbound server, or whether
the signature represents a failed attempt to protect A-R headers.
Should DKIM signatures not include missing A-R headers?
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html