That said, there's a lot of agreement that filtering during SMTP is better
than accept-and-then-deal-with-it approaches. (cf. RFC5451, Appendix C)
Unfortunately post-DATA rejection is the only way that can be done, short of
changes to SMTP in the way of yet another extension that wouldn't receive
wide adoption in the short term anyway.
I hadn't realized how many medium-sized MTAs do their DKIM during the
SMTP session. You learn something new every day. It still sounds like a
design that *requires* that an MTA do DKIM at SMTP time would present a
problem for some mail systems too large to ignore.
For Ian, I'm still wondering if he's yet implemented a setup which knows
at SMTP time what addresses deliver to mailing lists so it knows whether
to reject or discard on ADSP failures. Still seems like a lot of work for
a largely nonexistent problem.
R's,
John
PS:
That no workable envelope-level DKIM equivalent has materialized to date
is unfortunate.
Not for lack of trying, but I just don't see how you could prevent bad
guys from replaying good envelopes on bad mail.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html