Now on the other hand, if an administrative domain wanted to go to the
trouble to authenticate down to the user level, we didn't want to prevent
that, either. The primary audience for DKIM includes regulated industries,
Seems to me that works fine as is. If a stock broker wants to set up its
mail system to put an i= into DKIM that reliably identifies the person who
sent the mail, they can do that.
But unless I have external knowledge that they do that, and trust them to
do it right, I can't depend on it, so it's mostly an opaque token of use
to the sender when someone sends back a message and says "what the heck is
going on here?"
NOTE WELL: This list operates according to