On Fri 21/Mar/2025 19:13:47 +0100 Tobias Herkula wrote:
As a receiver, I already reject some portions of traffic if it is unsigned or an existing signature does not verify. I would vote for a clear statement that failing DKIM2 signatures from a 100% DKIM2 mail chain should provoke a reject, as nice as "local policy" sounds, I don't like the burden of handling broken mail if I'm not responsible for breaking it.
Such a statement assumes that DKIM2 is the silver bullet, that no wanted message would fail DKIM2 verification. Instead of betting everything on this, I would follow DMARC reports and go with p=reject when I see no unexpected failures.
BTW, is dkim2=fail different from "failing DKIM2 signatures from a 100% DKIM2 mail chain"? I mean, do verifiers always check all the signatures along the chain or can sometimes check just the last one?
Best Ale -- _______________________________________________ Ietf-dkim mailing list -- ietf-dkim@ietf.org To unsubscribe send an email to ietf-dkim-le...@ietf.org
