A lot of the early motivation for DKIM was that it might be helpful for combating phishing. At the time tons of email providers were open relay sewers. What DKIM allowed is that you could at least determine which domain was sending it if they signed. Ideally you want to catch the phishing before it hits the inbox, but obviously some of it is going to get through. A user might not realize for weeks or months that a message was an attack and that's doubly true if it was successful. One of the original goals was that the sending domain could theoretically take responsibility for sending the mail. It was never defined what that might entail but since a protocol was never envisioned for this to happen in transit, it was tacitly assumed that it was some out of band mechanism, like oh say, sending mail to abuse@ or something like that. They could then see that it was really from them and take action on the user who sent it. That's especially true when submission became the norm.
If the signature was stripped out of the mail, it gives an easy out for the sending domain to disclaim its involvement. That defeats the entire utility of taking responsibility. That's a problem, and we shouldn't be stripping out perfectly valid functionality.
Mike _______________________________________________ Ietf-dkim mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-dkim
