© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
If you allow a dkim signature to mean anything positive (i.e. to allow anything you rely on a GPG key today) you are abusing the protocol and relying on internal implementation details of proprietary web services.
You don't need to quote the RFC at me. I've participated in the IETF DKIM working group since it was started and contributed to the design.
If you think this is OK from a security perspective you really don't understand what DKIM is doing.
Additionally, if you read the RFC, it says explicitly that a broken signature should be treated just like no signature at all, so if you think broken signatures are meaningful, you are misunderstanding the RFC.
You could treat the absence of a valid signature as meaningful from domains that publish ADSP all or discardable policy records as a reason not to trust that the email is valid/authorize and that would be both consistent with the DKIM/ADSP design and a reasonable security practice (since you don't expect inbound mail from mailing lists as was already said).