On Jun 15, 2014, at 6:02 PM, John Levine <[email protected]> wrote: >>> Your plan, as I understand it, was that verifiers will ignore a >>> signature that is too weak. One might argue clients that accept weak >>> signatures are already broken, but in that case there are an awful lot >>> of broken clients, starting with spamassassin. (I just checked.) >> >> Spamassassin does not pretend to be a DKIM (or DMARC) policy engine, >> so of course it "accepts" weak signatures. It accepts invalid and >> nonexistent signatures, too. > > No, it doesn't.
Yes, SpamAssassin does "accept" weak, invalid, and nonexistent signatures. > It calls Mail::DKIM to validate the signatures. Yes, it does. But SA uses the results of Mail::DKIM heuristically and a DKIM failure is frequently not a sufficient basis for rejection. http://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Plugin_DKIM.html Matt _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
