Rob,
> > Yes, this is normal. An absence of a policy record implies
> > a default policy, which is a neutral 'signs some mail'.
>
> Personally, I find it strange to call 'signs some mail' neutral if
> there's nothing that indicates that we might actually do 'sign some
> mail'. But I haven't read all docs about the subject so I guess there's
> a reason for it of this is assumed.
It is a consequence of the requirement that a failed signature verification
MUST be indistinguishable from an absent signature.
Btw, the draft-ietf-dkim-ssp-00 (which is applicable to DKIM and
fills the same role as a policy record in DK) offers similar choices:
unknown (default) The entity may sign some or all email.
all All mail from the entity is signed; unsigned email MUST be
considered Suspicious ...
strict All mail from the entity is signed; messages lacking a
valid Originator Signature MUST be considered Suspicious...
Mark
