[ietf-dkim] DKIM Threat Analysis v0.06

[Arvel Hathcock]

> Is it a tool for the SMTP server to reject messages from SMTP clients that 
> are doing something unauthorized?  Is it a tool for post-acceptance 
> filtering and routing in the MDA?  Is it a tool meant to give MUAs 
> information to display to end users?

In my implementation, the SMTP server does all the DKIM checking and either 
rejects the message outright or documents the results in an AR header. 
Assuming the message isn't rejected, my MTA router code, which invokes my 
filters, add/subtracts from the heuristic scoring, etc based on what it 
finds in the AR header.  Finally, under precise conditions my web-based MUA 
will display a notice along the lines of what Yahoo is doing.  This also is 
triggered by the AR header.  The key for me is to do the DKIM checking 
during the SMTP session and document the results in an AR header for use 
later down the processing chain (MTA/MUA) - this is just how my particular 
implementation does it, your mileage may vary :)

--
Arvel