By selecting specific A-R headers to remove, header content might be
processed post delivery, and then appear to match against some trusted
domain.
I believe the Security Considerations of RFC5451 covers this adequately.
For sure, individual recipients may wish to check signatures etc. for
themselves, espeicially if they have doubts about the policies applied by
their local assessors. If the local assessor has unnecessarily removed
sone A-R that is actually covered by the signature, then that becomes
impossible.
+1
The safest solution would be to remove _all_ A-R pre-existing A-R
headers from different environments ...
But that's not what the standard says.
+1
IMHO, appendix B.6 is overly optimistic for today's environment.
Have you seen actual attacks like this in the wild already?
Maybe so, but that document is a proposed standard, and unless you have
plans to get it revised, we must try and work with it as it stands.
Nothing in that example is contrary to what that standard says
normatively.
+1
(BTW, does this still qualify as being "on topic" for this list?)
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html