On Wed, Aug 15, 2018 at 11:30 AM, John Levine <jo...@taugh.com> wrote:
> In article <799c2b18-97fe-6e22-f2cf-49245ae9c...@gmail.com> you write: > >So the extra mechanism is intended an efficiency hack. > > No, it also documents the fact that the chain was broken when it > arrived at the cv=fail signer. Without it, a subsequent hop can't > tell. It probably won't make much difference to spam filters, but > it could be useful if you're trying to find and fix forwarders > that make gratuitous changes. > Exactly. > I think there's a modest benefit to signing with cv=fail, and since > you can't count on having a chain (even an invalid one) signing as > if it were cv=none seems reasonable. > It's this, as well as what I outlined in my previous message. > PS: Once there is a cv=fail seal, there doesn't seem to be any point > to adding any more seals in later hops. It's dead, Jim. > Absolutely, and the spec very clearly said this prior to the -15 reorg, but it appears that has disappeared. Fixed.
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc