John C Klensin wrote:
While this is interesting as Dave points out it is probably not
the right place to debate it.
It's about "drop" vs. "reject". When Doug talks about "message
annotation" I think it's in practice "drop" for anybody who hasn't
the time to check "annotated messages" manually.
And when he talks about "acceptance on a limited basis" I think
it's in practice "reject", at best TempFail.
Those promises clearly stressed that DKIM was appropriate as a
reputation check by the delivery MTA or target user MUA, but
not as a means of authenticating senders and rejecting mail in
transit.
| Taken together, these will assist receiving domains in detecting
| (or ruling out) certain forms of spoofing as it pertains to the
| signing domain.
"Ruling out" can be "reject" or "drop", it's in the DKIM Charter.
The only reliable way of "ruling out" is "reject at the border MX".
Anything "annotated" is a black hole, and any later rejects could
cause bounces to random addresses - unless it's limited to traffic
from 4409 6.1 MSAs and/or SPF PASS and/or old RFC 821 reverse path
routing buried under tons of SHOULD NOT and/or some crystal ball
I've not heard of.
Frank