Dave CROCKER wrote:
This begs the question: why bother to do the first validation; why not simply wait and let whoever would have validated the first instead validate the first?
If the only authentication method being applied at a site is DKIM or other things that don't care about the path, that works. But that's a big "if", and moreover means all consumers of authentication results data must now learn all local path-agnostic methods being used to evaluate messages.
The desire here is to secure arbitrary authentication results data between the border MTA and the consuming MUA. DKIM is one way that could be achieved, meaning the consumers need to learn one and only one message authentication scheme in order to validate that one piece of protected internal data.
