> RFC 8301 removes rsa-sha1 from DKIM, so "FinCo" isn't wrong to consider
> the signature invalid. It's a bit aggressive for my taste, be it's the
> receivers call. The most I might do is ignore the signature. It's
> definitely not a reason to block the message.
Thanks for the relevant rfc.
I tend to agree.
I may have been unlcear -- it's my server receiving emails from the errant
FinCo, dkim-signed with sha1 sigs. So up to me to determine if they are
'putting clients at risk' by being lazy about their security, and blocking
their messages.
Simply, IMO, FinCo's admins are being lazy/sloppy. They _should_ know & do
better. (This really is a BIG organization; personally, I'd be embarrassed ...)
My suspicion is that this is NOT rising to "nuke the basatards" smtp response,
and that I should figure out how to get the attention of the right persons (NOT
'customer service') at FinCo. TBH, how to make that contact is beyond me;
public shaming on Twitter might be an option ;-)
That's for DKIM.
Same question remains, and I suspect with a similar answer, re: TLSv1.
