While I generally agree, DMARC for the last decade didn't have a testing flag. That's new in DMARCbis, so I don't think that's really germane. This particular thing is on us as a working group.
RFC 6376 makes it quite clear on page 28 that DKIM verifiers ignore signatures with a t=y flag, and treat them as though they're not there. What else is there to say? If they're not there, the message isn't signed, at least not with that signature.
I really hope that nobody is proposing, oh, but DMARC is special so if your DMARC policy has a testing flag, you reach through into your DKIM verifier and pretend that test signatures count. That would require an update to 6376 and updates to every DKIM library to have a way to say "ignore the test flag", and would require DMARC validators to find the policy record before they could do DKIM evaluation.
So once again, there is nothing to say here, so let's not say it. Regards, John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
