If we can extract DKIM from the equation entirely and the problem
remains, how is it a DKIM problem?
But it doesn't. Absent a DKIM signature, nobody's making any assertions
about incoming messages, and there's no reason to treat duplicate headers
as anything beyond a software bug.
With a valid DKIM signature from a credible signer, I would really like to
be able to drop a message into the recipient's inbox without further
processing. If I have to run it through spamassassin anyway to detect
message mutations that DKIM doesn't, its utility is vastly less.
We put a bunch of stuff in DKIM to allow benign modifications of messages,
notably relaxed canoncalization. (We can argue about whether l= is
useful, but it's easy enough to ignore if one thinks it isn't.) I think
it's also reasonable to put stuff in to disallow malevolent modifications.
I'm certainly not suggesting a full 5322 body cavity search, but I think
reasonable checks would include checking for duplicates of headers that
MUAs are likely to show, such as Subject, To, From, Sender, and Cc.
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet
for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html