Michael Thomas wrote:
An MTA compliant with this specification MUST add this header to
indicate the host which performed the authentication tests, the
authentication methods tested and the results of the tests. If more
than one test is done, the MTA MUST either add this header once per
test or add one header to convey all the results. An MTA MUST NOT
add the result to an existing header.
I don't understand the reason for this restriction, and I understand
even less how you expect it to be enforced. Consider this:
border(spf)->mta(dkim)->delivery
why should it be illegal for the middle mta to add the dkim results
to the existing upstream auth-res? Does it cause some sort of security
problem? Or any other kind of problem? The only kind of security problem
I can see is if it added it to an _untrusted_ auth-res, but that would
be pretty silly.
It's mainly to require that the hostname in the A-R header indicate where the
status was evaluated. If it claims "border" and "mta" modifies it, the consumer
of the header will be led to believe that "border" did both evaluations which is
inaccurate.
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html