Thanks for this, it makes sense. Some questions (may or may not have been
discussed already or in your Internet draft):
1. The DKIM-Signature v=2 is only in the headers in the email, correct? Or,
would a DKIM DNS record also have v=dkim2; ?
No need to change the keys, since the hashing and signing hasn't changed.
Also see my later note about why the key records don't need version
numbers.
2. If there are multiple To: addresses, the verifier just checks to see
d= in any DKIM-Signature that validates matches any domain in the
5322.To: header?
Yes. The draft says the fs= can be a specific domain, or abbreviation "t"
or "c" which should make the signing marginally easier since the signer
could use the same template for many signatures without having to pick the
domain out of the To: header.
3. Should we think about how this interacts with Authentication-Results
stamping?
I don't see offhand how A-R would be affected. It's still a DKIM
signature, the A-R report would be the same.
4. How does the sending MTA know when to stamp this v=2 DKIM header?
Presumably, it would need to have a list of known forwarders stored somewhere?
When there's a cs= tag. It's in the draft.
R's,
John
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
