>Ugh! We simply have to fix the root cause of MLM's breaking DKIM signatures.
Um, the root cause is that people want DKIM to be something it is not, was never intended to be, and cannot be. It doesn't provide robust, long lived signatures. There are signing systems that do, but DKIM isn't one of them. MLMs have changed messages for decades. That's not a bug, and it's not going to change. DKIM is designed to survive minor changes typical of transit through an MTA, and no more. That's not a bug, either, and that's not going to change. In retrospect, it was a mistake to add l= to DKIM, since it encouraged the mistaken belief that a lot of signatures might be able to survive a trip through an MLM. My opinion about ADSP is hardly a secret, so rather than reiterate its faults, let me just say that any organization that wants to use ADSP should be prepared to bear the costs of doing so, such as making arrangements for valuable mail to come from a different domain, as Paypal is doing. For the .GOV domains, I don't see anything in the dotgov.gov web site that restricts an entity to a single domain, and I know there are plenty of names like DONOTCALL.GOV registered to departments with other domains (FTC.GOV in that case.) If they really send discardable mail and want to publish ADSP, which I'd think would be rare, they can get different domain names. For .EDU, I'd be surprised if many of them were phish targets, and for the tiny fraction that might be, they have subdomains or .ORG as an alternative for their valuable mail. R's, John _______________________________________________ dkim-ops mailing list [email protected] http://mipassoc.org/mailman/listinfo/dkim-ops
