RFC 6376, "DomainKeys Identified Mail (DKIM) Signatures", September 2011

Note: This RFC has been updated by RFC 8301, RFC 8463, RFC 8553, RFC 8616

Errata ID: 5551
Status: Rejected
Type: Technical
Publication Format(s) : TEXT
Reported By: Borislav Petrov
Date Reported: 2018-11-09
Rejected by: Barry Leiba
Date Rejected: 2019-04-30

Section 6.3. says:

If an MTA does wish to reject such
   messages during an SMTP session (for example, when communicating with
   a peer who, by prior agreement, agrees to only send signed messages),
   and a signature is missing or does not verify, the handling MTA
   SHOULD use a 550/5.7.x reply code.

   Where the Verifier is integrated within the MTA and it is not
   possible to fetch the public key, perhaps because the key server is
   not available, a temporary failure message MAY be generated using a
   451/4.7.5 reply code, such as:

   451 4.7.5 Unable to verify signature - key server unavailable

   Temporary failures such as inability to access the key server or
   other external service are the only conditions that SHOULD use a 4xx
   SMTP reply code. 

Notes:

This contradicts RFC5321 which says:

...a relay SMTP has no need to inspect or
act upon the header section or body of the message data and MUST NOT
do so except to add its own "Received:" header field...
--VERIFIER NOTES--

There is nothing in the cited text above that suggests modifications to the message. The text only talks about which SMTP reply codes to use.

Report New Errata