It's not supposed to. The decision about whether a DKIM signature that
depends on a chained signature is valid is supposed to happen entirely
within the updated DKIM module. DMARC just uses that result. I assume the
DKIM module is able to look at all of the DKIM signatures on a message and
report back which ones are valid.
Other chatter on this list suggests that not all DKIM verifier
implementations work that way, unfortunately.
I suppose I should take another look at the modules for which I have
source code and see what they do. Given that a DKIM verifier needs to
have the entire message in hand to do the verification at all, it seems
odd not to find all the signatures and do them all together.
Regards,
John Levine, [email protected], Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
