Re: Incoming SMTP in the year 2017 and absence of DKIM (fwd)

["John R. Levine" <johnl () iecc com>]

In article <6134b4a7-9da8-2935-e9f6-e4374b3fdba4 () spamtrap tnetconsulting net>,
Grant Taylor via NANOG  <gtaylor () tnetconsulting net> wrote:
> > https://datatracker.ietf.org/doc/draft-levine-dkim-conditional/

> The only way that I can think of is for the originating mail server to
> DKIM sign the message twice, 1st with the classic DKIM-Signature w/o the
> !fs tag, and 2nd with a DKIM-Signature that includes the !fs tag with a
> value of of the recipient's domain.

> Is this what you were intending?  A list of DKIM-Signatures linked via
> !fs tags?

Yup, with the chain typically having no more than one or two links,
since legit forwarding of the kind that might break DKIM is pretty
rare more than two deep.

> If I do understand correctly, I think that it's intriguing.  I'm not
> aware of anything else that would work quite the same way.

That was the plan.  I thought it was pretty clever, but like I said, the 
large mail systems that developed ARC wanted to put the control with the 
recipients, not the senders.

R's,
John