since there are issues with the verification of the body of a dkim signed message that got recoded or contains other encoding issues i would like to have an option where the verifier could ignore the body hash / body signature verification.
Verifying just the signed headers and ignoring the body hash gives an opportunity to be much more strict at the connection level of the MTA for fraudulant headers; because of the encoding issues (too often found) the only real option now is to quarantine everything or accept everything with failures. This is not the happy way.
OpenDKIM should also be a tool like a DNS blacklist offering the possibility of REJECTing manipulated messages because personally i find following the dmarc policy too "soft" on these things.. At the moment this cannot be done without REJECTing a lot of realy genuine mails...
Offering an "ignore body hash verification" solves these issues and gives a choice
since there are issues with the verification of the body of a dkim signed message that got recoded or contains other encoding issues i would like to have an option where the verifier could ignore the body hash / body signature verification.
Verifying just the signed headers and ignoring the body hash gives an opportunity to be much more strict at the connection level of the MTA for fraudulant headers; because of the encoding issues (too often found) the only real option now is to quarantine everything or accept everything with failures. This is not the happy way.
OpenDKIM should also be a tool like a DNS blacklist offering the possibility of REJECTing manipulated messages because personally i find following the dmarc policy too "soft" on these things.. At the moment this cannot be done without REJECTing a lot of realy genuine mails...
Offering an "ignore body hash verification" solves these issues and gives a choice