> The draft continues to make broad, onerous claims like this, but provides no documentation to indicate that the DKIM signing specification is flawed in the function it is performing: attaching a validated domain name to a message.
DKIM does not, in its current form, attach a validated domain name to a message. By adding one line "MUST NOT validate a message with multiple From:'s", DKIM will attach a validated domain name to a message.
Here's the part of this I don't understand:
A DKIM signature does two things. It *does* attach a validated domain name (the domain in the d= tag). And it tells the verifier what parts of the message are covered by the signature (h= and l= tags). There is no claim in DKIM that the d= domain has any relation to the RFC 5322 From. But the h= tag does tell you how many From header fields are covered by te signature.
Any verifier that wants to consider a message suspicious if the message contains more From fields than are covered by the signature can do so, and the DKIM spec does describe this situation.
You would like the spec to REQUIRE that a message be considered suspicious under those circumstances. You made your case for this at least twice to the working group and at least once more to the IETF community during Last Call of the draft that became RFC 6376. Your opinion wasn't agreed with: you were "in the rough". You're now bringing it up a fourth time (at least), and you still appear to be in the rough. The decision was to allow the verifier to decide how to handle this.
Being in the rough doesn't make you wrong. But DKIM isn't wrong either, and at some point you have to accept that you're standing alone, and accept the consensus.
Barry