Its pretty useful to be able to sign Authentication-Results ...
That can't be done. This header is subject to stripping and if it gets
signed and later stripped it ruins the signature. So, this one must not be
signed. It would also be useful to sign the Return-Path header I guess but
this also can't be signed because it is subject to stripping as well.
Basically, any header in which it's own specification mandates or even
suggests with a "MAY" that a change or removal might occur - these must not
be included in a signature IMO. MDaemon doesn't sign any X-* header,
Return-Path, or Authentication-Results for this reason.
--
Arvel