https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6918
--- Comment #6 from Alessandro Vesely <ves...@tana.it> --- For DKIM, Mail::DKIM::Verifier looks up keys as soon as it parses a signature, like so: my $signature = Mail::DKIM::Signature->parse($line); $self->add_signature($signature); $signature->fetch_public_key; We need a parsed signature in order to understand if it was verified already, so as to skip its verification. A domain can add multiple signatures which can have different selectors or at least different hash (header.s is not yet part of A-R; if header.b is missing, we must assume that this signature was the only one the verifier saw by the given domain.) Of course, a domain can add signatures after A-R fields were written. Those should not be interesting if the A-Rs are trusted. However, A-Rs, albeit by a trusted agent, might be stale, written before a message was further relayed. In that case a careful MTA should invalidate them (Courier-MTA, for example, renames them to Old-Authentication-Results on ingress.) The quick solution is to have the admin tell if A-Rs are authoritative for DKIM, which also entails that there is no valid DKIM signature unless we found the result. Messages arriving from a different path, with no A-R, may still require to load DKIM::Verifier. Otherwise, the hard solution requires to learn more Mail::DKIM internals. BTW, what's that "caller of SpamAssassin already supplied DKIM signature objects" comment in SpamAssassin::DKIM? -- You are receiving this mail because: You are the assignee for the bug.