John Levine wrote: >> Any way to tell someone its signature is used in third party signing? > > Remember that invalid signatures are ignored, and signers are already > aware of all the valid signatures they've applied.
Well, according what I seen by the GMAIL verifier, it is discarding mail with invalid signatures. I confirmed this 6 times last night with one message recent 6 times. Four of the six were slightly modify each time to force an integrity error. These were accepted by GMAIL's SMTP server but silently discarded (never posted). The other two were the same original DKIM signed message but with the DKIM-Signature header cut out. The two messages was accepted and immediately posted. As long as the original DKIM-Signature remained, the message was not delivered. I guess at least 1 big system is not listening to the Invalid Signature Ignorance DKIM policy. Either they are right and saved the day or they were wrong and bad mail was unexpectedly lost. Take the DKIM-Signature out and mail is delivered. Again, all I did was essentially replay a valid DKIM signed message (according the original AR that indicated a DKIM pass) by slightly modifying its content and/or headers. Gmail accepted the mail, but it was not delivered. I took out the DKIM-Signature and poof! It made it thru. That indicates they are not following this ignore invalid signature rule. -- Sincerely Hector Santos http://www.santronics.com _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
