-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <b9029423-1b4a-4e82-b8ae-4acbbe810...@tana.it>, Alessandro Vesely <ves...@tana.it> writes
>BTW, is dkim2=fail different from "failing DKIM2 signatures from a 100% DKIM2 >mail chain"? I mean, do verifiers always check all the signatures along the >chain or can sometimes check just the last one? In DKIM2 you need to validate the signature of the entity passing you the message (the highest numbered header field) because that assures you that you can give it back to them if you need to... ... you then need to undo all the modifications in other header fields (if any) but you don't need to check those signatures ! Then you can check the very first signature (if there is more than one of course) and that tells you if the purported original sender did indeed sign the message. If you want to do forensics you can check more, but that's all that a receiver is likely to care about. - -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBZ+GwQWHfC/FfW545EQJ6ewCg90i3hs52F6XS05fRhmuBJh1Qh5kAnjrX mwEcr+b37wBVx4JGRW0wP7zm =zaUN -----END PGP SIGNATURE----- _______________________________________________ Ietf-dkim mailing list -- ietf-dkim@ietf.org To unsubscribe send an email to ietf-dkim-le...@ietf.org
