I am not meaning to confrontational, i want to develop a deeper
understanding and educate myself.
A DKIM signature does not imply any expectation that
all messages will have valid signatures.
Why does DKIM signature exist if not to provide a way to know if an
email has been altered after someone sent it? Why can't someone expect a
signature to be valid? I assume computers are capable of creating a
valid signature 100% of the time.
That's because DMARC (which I don't use or recommed)
Why don't you recommend DMARC? What is wrong with it? Do you accept
*ALL* mail sent to you in your inbox spam or not? Other than SPF records
and DMARC what other tools exist to verify if mail came from the domain
they purport to?
DKIM does not convey any policy, and the correct default policy is
to treat invalid signatures the same way as you would treat missing
signatures.
Yes, DKIM is a signature, and DMARC is the policy that says if the
signature is invalid you are allowed to p=reject that mail. But you're
telling me at no time are you allowed to reject a message for an invalid
signature. Im wondering if that is the case why does DKIM or DMARC
exist? Maybe i read it wrong but within DMARC policy isn't it allowed
for mail servers to have local policies that override the policy request
of what to do with invalid DKIM signatures?
You can break your system if you wish. For the record, nobody else
should follow your example.
How is giving end users the choice, the control, over what happens with
their email "breaking" my system? Do you work for Apple? :) that was a
joke. But seriously how is that breaking things? Isn't that what sieve
was created for?
