So, that section of the Spec says:
Current DKIM verifiers may want to explicitly call the ACL for known
domains or identities. This would be achieved as follows:
dkim_verify_signers = paypal.com:ebay.com:$dkim_signers
This would result in acl_smtp_dkim always being called for "paypal.com"
and "ebay.com", plus all domains and identities that have signatures in
the message. You can also be more creative in constructing your
policy. For example:
dkim_verify_signers = $sender_address_domain:$dkim_signers
But I cannot see the point of doing either of these things.
Either one of the prepended domains has a valid signature in the
message, or none has. One way or the other, the final result of running
acl_smtp_dkim for _all_ members of dkim_verify_signers is the same as if
nothing were prepended.
At least if the only decision I want to make is "one of
dkim_verify_signers has a valid sig" versus "any other outcome". If I
were to consider invalid and failing sigs things would be different. Is
_that_ why this "creative" hook exists?
--
Please *no* private Cc: on mailing lists and newsgroups
Personal signed mail: please _encrypt_ and sign
Don't clear-text sign:
http://cr.yp.to/smtp/8bitmime.html
