Incoming SMTP in the year 2017 and absence of DKIM (fwd)

John R. Levine johnl at
Sat Dec 2 19:51:16 CST 2017

In article <6134b4a7-9da8-2935-e9f6-e4374b3fdba4 at>,
Grant Taylor via NANOG  <gtaylor at> wrote:

>The only way that I can think of is for the originating mail server to
>DKIM sign the message twice, 1st with the classic DKIM-Signature w/o the
>!fs tag, and 2nd with a DKIM-Signature that includes the !fs tag with a
>value of of the recipient's domain.

>Is this what you were intending?  A list of DKIM-Signatures linked via
>!fs tags?

Yup, with the chain typically having no more than one or two links,
since legit forwarding of the kind that might break DKIM is pretty
rare more than two deep.

>If I do understand correctly, I think that it's intriguing.  I'm not
>aware of anything else that would work quite the same way.

That was the plan.  I thought it was pretty clever, but like I said, the 
large mail systems that developed ARC wanted to put the control with the 
recipients, not the senders.


More information about the NANOG mailing list