Mark Martinec wrote: > 3. If the query for the public key fails because the corresponding > key record does not exist, the verifier MUST immediately return > PERMFAIL (no key for signature). > [...] > A verifier SHOULD NOT treat a message that has one or more bad > signatures and no good signatures differently from a message with no > signature at all; such treatment is a matter of local policy and is > beyond the scope of this document. >
Just to be extra clear, PERMFAIL in this context is a verifier result -- just an inability to verify the signature. In order to satisfy the above paragraph, this SHOULD NOT result in an SMTP PERMFAIL. This is different from a verifier TEMPFAIL, which may result in an SMTP TEMPFAIL. > > I think it is plain wrong and a bug if a verifier tempfails a message > on an authoritative DNS failure. > Agreed. -Jim _______________________________________________ dkim-ops mailing list [email protected] http://mipassoc.org/mailman/listinfo/dkim-ops
