> I don't agree that this is the right action in all cases, nor that > "can't be verified" includes transient DNS errors.
But this isn't a transient DNS error. The authoritative answer from bellsouth.net is that there's no such key, because they forgot to install it. I tried sending myself a message from my BT Internet account, which is also handled by Yahoo. It's key is s1024._domainkey.btinternet.com, which does exist. > I took "can't be verified" in RFC4871 to mean only "the crypto didn't > add up". If the DNS times out, I think that's inconclusive, and I'd > prefer to temp-fail in that case. I agree that it's reasonable to return 4XX on a soft DNS failure since the chances are pretty good that you'll get a better answer if you try later. But that's not what happened here, it's a hard failure, and I don't see any reasonable reading of the DKIM spec that allows you to turn that into a hard failure. Regards, John Levine, [email protected], Taughannock Networks, Trumansburg NY "I dropped the toothpaste", said Tom, crestfallenly. _______________________________________________ dkim-ops mailing list [email protected] http://mipassoc.org/mailman/listinfo/dkim-ops
