As a part-time MTA developer I am not confused. The DKIM signature
provides a simple piece of trace information ("I handled this mail")
that is cryptographically bound to some header and body content.
Yes. And that the obverse is possible: "I didn't handle this mail".
I don't see how DKIM can provide the obverse - the obvious way
is for a sender to assert that all their mail has a DKIM signature,
but that fails when the DKIM signature breaks in transit. Is there
a clever trick I'm missing?
So you're saying it can provide the obverse; you just don't like the
failure modes. Perhaps surprisingly, the failure modes are exactly
what attracts some folk to DKIM.
We also have to be patient. When DK was first discussed, folk said
that it was impossible because MTAs routinely made arbitrary changes
to the payload, but that's no longer true. Folks also said that the
mainstream players would never get on board, but that's no longer
true.
A fork-lift change was never going to occur overnight so we just have
to keep chipping away.
Mark.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html