I appreciate the comments on this. Boils down to:
> ... moral of this story is .... in no particular order, ** 'Best/current Practice' _is_ better than sha1/dkim & TLSv1 ** FinCo's lazy & sloppy, not worth rejecting, but I can flag & watch ** I've checked my ~12 month logs; FinCo represents ~ 95% of accepted/legit mail that's both sha1/dkim & TLSv1 ** I'll send one letter to FinCo's CIO/CSO offices. I expect no change, but it'll make me 'feel better'. ** I've confirmed that < 1024 bit sigs are not accepted at all ** for now, my TLS policy stays at ="may" and get back to more useful work. thanks all.
