The resulting paradigm is "as long as one signature can be successfully verified, DKIM verification will succeed". It is a context-free "take it and accept it" approach.

Informative remark: The protocol changes apply only to signatures signalling compliance with the iterated variant presented in this document.

• Temporary errors encountered during DNS record lookups MUST be passed through to the SMTP layer as such via a 451 or 455 reply code; with enhanced SMTP status codes 4.4.3 ("routing server failure") or 4.7.5 ("cryptographic failure") MUST be used.

  Informative remark: Verification and creation of cryptographic signatures becomes crucial, therefore DNS failures can no longer be subject of local policy. Among others the DKIM sections 4.2 "Interpretation", 6.3. "Interpret Results/Apply Local Policy" and 8.15. "Attacks Involving Extra Header Fields" are declared "changed" in meaning to stand back behind this paradigm.

• It is herewith clarified that during "relaxed" canonicalization of header fields any encountered carriage-return CR or line feed LF MUST be ignored. This to make official the approach taken by existing implementations to deal with compatibility issues required by IMF (RFC 5322). Likewise care has to be taken to ensure that only the sequence CRLF is interpreted as a line terminator in body processing.

  Informative remark: The milter protocol in widespread use for implementing SMTP extensions or support, like DKIM, does not pass CRLF during header processing, but uses LF. Also because DKIM processing is byte-based, and does not know about "quoted-pair" at all, the specification could never be complied to in full in reality.

• The signature expiration tag "x=" is no longer optional. It MUST be used to place a lifetime constraint. The maximum "t=" to "x=" delta MUST NOT be greater than 864000 seconds (ten days: to reach into the next working week). Example delta values for tag auto-generation may be the bounce defaults 432000 seconds (five days: used for example by the Mailman2 and mlmmj mailing-list managers, and the postfix MTA), 345600 seconds (four days: OpenSMTPD MTA), or 172800 seconds (two days: Exim MTA).

  Informative remark: The DKIM section 5.2 defined "reasonable validation interval before [keys are] being removed from the key server" is being pointed to in that respect.

  Informative remark: For "ingress" signatures with the DKIM/ACDC "I" flag, as below, this limit does not apply: it MAY be as high as local policies desire, in order to support delayed verification of validation results.

• The AUID (DKIM, section 3.5, "i=" tag description) SHOULD be used, and the value should enable the signer to identify the originator for whom it creates the signature. The value SHOULD NOT hinder obfuscation, for example hiding real (sender etc.) address(es) for the purpose of cryptographically protecting email in an end-to-end security scenario.
• Configuration directives to verify that for locally created messages SMTP envelope MAIL FROM matches the first address of the IMF From: header field SHOULD be offered, and may be enabled by default.

  Informative remark: Offering an easily accessible constraint to ensure matching identities of envelope and message data for messages newly injected into the email system prevents an entire type of attack, which is not easy to counteract otherwise. Since parsing of "RFC5322.From" is a common DKIM operation (compare DMARC), bolstering a domains' operational stringency is in good hands.

  Informative remark: Not only for more context on operational email status reading , and using the Author: header field described there is recommendet.

• DKIM section 3.7 defines how "Computing the Message Hashes" has to be performed. Different to the RSA algorithm (RFC 8017) solely defined for DKIM at the time section 3.7 was written, modern algorithms include checksumming themselves. Section 3.7 is hereby modified in that the input to "sig-alg", the "data-hash", can adapt to standardized algorithms as appropriate. If an algorithm chooses adaption, "hash-alg" is only used to produce the "body-hash", whereas the input formerly used to create the "data-hash" is fed in full into "sig-alg", instead of to "hash-alg". More formally, the new pseudo-code for the signature algorithm is:

  Informative remark: An algorithm that exists in "adopted" and "non-adopted" variants MUST be treated as a single algorithm. For example, a constraint like "one X per algorithm" would not allow both variants to be used.

  Informative remark: Different to plain DKIM DKIM/ACDC, as below, requires to keep the normalized content of header fields around for consumption by the differential changes algorithm. The immediate consumption of all input by "hash-alg", as was and is implemented by certain (not all) DKIM software, can therefore no longer be a primary design goal. Whether the larger amount of data ("data-hash" vs all of "h-headers", "D-SIG", "body-hash"), when fed into "sig-alg", is of negative impact, is to a large extend a digital signature quality of implementation, and hardware performance issue.

• A new "Key Type" (DKIM section 7.6) is added: "EDA-SHA256". It is identical to ED25519 except for using the above adaption. DKIM/ACDC compatible software MUST support as well as "eda-sha256". The type "eda" MUST NOT be used for the backward compatible DKIM-Signature: header fields, but only for the "DKIX-" DKIM/ACDC-only variants, as below.

• Changes paradigm: there is absolute trust in public key cryptography.

  Informative remark: A correct cryptographic signature is the only known way to safely ensure message validity. A failing integrity check is described by from 2003 as "the message was corrupted or altered", meaning the system is "unable to validate the message". Furtherly processing and delegating such a message is misguided, not only in a world in which not even communication handshakes succeed in an identical situation.

• Introduces a flag second: base DKIM, and any base DKIM compatibility items introduced below, become obsolete after "t=" 2054847098 (0x7A7A7A7A hexadecimal), which corresponds to ISO 8601 2035-02-11T22:51:38Z. DKIM/ACDC aware software MUST NOT generate nor interpret compatibility items when the "t=" tag of signatures denotes a larger timestamp. It MAY have configuration options to do so much earlier, in general or for certain network communication partners.

  Informative remark: A "t=" older than the allowed maximum "t=" to "x=" delta (as above), or more than 84421 seconds in the future, MUST cause the signature to be ignored, or the message to be rejected in case the signature "is vivid"; in the latter case the reply code 550 is to be used; with enhanced SMTP status codes 5.4.7 ("delivery time expired") MUST be used. (A DKIM/ACDC DKIX-Sig: with the highest "sequence" is "vivid".)

• Introduces new header fields: DKIX-Sig: is the signature, DKIX-DC: covers differential changes, as necessary, and DKIX-AC: constitutes a access-control signature. There is also a "temporary" DKIX-Store: header field. They should be treated like trace headers, just like DKIM-Signature:.

  Informative remark: DKIM/ACDC treats the DKIM-Signature: header field as actively maintained legacy that is left alone, except that any such field generated by DKIM/ACDC aware software links to its corresponding DKIX-Sig: successor via the new "w=" tag, and may (will) be removed by later DKIM/ACDC aware hops as part of active mitigations : the DKIM section 4.2 "Interpretation" is cleared away in this respect. (Past the flag second any such field MUST be removed.)

  DKIX signatures MUST NOT be generated with the RSA algorithm ("rsa-sha256"). If a legacy DKIM-Signature: header field is generated, it may, or, for maximum compatibility, should be generated with it. Any DKIX header field MUST NOT have FWS in surrounding the "=" separator in key/value lists. More formally, this specification obsoletes the use of FWS in "ag-spec". (DKIM/ACDC thus "reverts" back to "original policies" as used for example by MIME.)
• Places signatures in an ordered, numbered, random-accessible sequence which' state correlate. (Signatures generated at the same hop share a sequence number.)

  Informative remark: With DKIM/ACDC it can be, and usually is, sufficient to verify only the cheaply detectable highest numbered signature.

• Adds reversible data difference tracking, and as such supports cryptographical content verification of any (DKIM/ACDC aware) intermediate message state, up to the initial variant as sent by the author.
• Cryptographically protects the SMTP envelope, that is, RCPT TO addresses as well as the MAIL FROM address.

  Informative remark: Replay of valid messages to initially not addressed recipients, as well as backscatter bounces to random addresses instead of the originator, becomes detectable.

• The advices of DKIM section 5.4 and 5.4.1, "Determine the Header Fields to Sign" and "Recommended signature content", respectively, are replaced with a dedicated header field database , the members of which MUST be signed. Database members are not announced via the "h=" tag. Instead DKIX-Sig: uses a "visualized" bitset that is stored in the "hfdb-bits" subtag of the "acdc=" tag.

  Informative remark: For DKIX-Sig: "h=" becomes an optional tag that is only used to denote those fields which are not covered by the database.

  Informative remark: The concept of "sealing" or "oversigning", that is, the DKIM saying of section 3.5, "h=" tag description, to "sign fields not present at the time of signing" does not apply. Each hop signs the message state it sees, and content changes are recorded via DKIX-DC: differential changes.

  Side note: It is not up to DKIM(/ACDC) to decide upon the validity of changes. With DKIM/ACDC it is just like today, but in a standardized fashion: each hop "mitigates away" elder message instances to create a valid signature environment for hops further down the message path. Different to today, however, these hops can cryptographically verify and inspect elder instances up the path, back to the message author. Since DKIM/ACDC mitigations require message content changes to "take message ownership", this is always visible to and verifiable by end users. Oversigning has no meaning: without content changes nothing is mitigated, with changes mitigations can be unrolled.

• Only makes use of the "relaxed" canonicalization type. The "simple" variant MUST NOT be used. (A rational for choosing "relaxed" is given in the section "Further DKIM Updates".)
• Allows recognition of certain flagged conditions (along the message path) only by looking at the highest numbered signature.
• Allows cryptographically verifiable collection of statistics of organizational trust (, section 2.5) along the entire message path.

• The tag starts with the "sequence" subtag, a decimal number starting at 1, or incremented by 1 from the highest DKIM/ACDC "sequence" encountered in the message; the maximum value is 999: if incrementing would result in overflow, the message MUST be rejected; detected sequence holes MUST also cause rejection (but see below); in both cases SMTP reply code 550 is to be used; with enhanced SMTP status codes 5.5.4 MUST be used.

  Informative remark: The chosen limit seems sufficiently high to never cause problems in practice; compare for example SMTP section 6.3 "Loop Detection".

  Multiple signature header fields with the same "sequence" MAY be generated by a domain, in which case each field MUST use a different "s=" selector, and maximally one selector per algorithm MUST be used.
• The second subtag after "sequence" is "hfdb-bits", a "visualized" (base 36) bitset that stores 5 bits per byte (examplary C code exists ), and records presence of header fields which are part of the header field database . (Standard conforming messages always have multiple header fields announced by "hfdb-bits", but "hfdb-bits" MUST be at least presented by "0".)

  Informative remark: The optional "h=" tag is only used for header fields which are not included in the database. An empty "h=" tag MUST NOT be generated.

• The third subtag contains a list of flags that announce state and conditions of the message at its current point in the message path. If a flag is said to be necessary, all flags that it implies must also be set, even if not explicitly mentioned. Flag description is normative. (Again: note the missing FWS separators around "="!) ABNF:

  A

  Alongside the "V" flag (see there) only: all existing signatures were verified.

  D

  The message content was modified at this hop, differential changes were generated, and are stored in a DKIX-DC: header field. The "Y" flag has to be set.

  C

  The hop signals interest in collection and (periodical) report of statistical informations regarding (this) message(s). The exact semantics are out of scope for this document. As an example of what this could be DMARC aggregate reporting (RFC 9990) may be mentioned.

  E

  The SMTP envelope (MAIL FROM and/or RCPT TO) was modified. The "O" or "N" flag has to be set if the MAIL FROM changed. The "y" flag has to be set. But for "I"ngress signatures a new "Access Control" evaluation has been performed. Existing DKIX-AC: header fields MUST be removed.

  I

  This signature header field was generated at ingress. Special rules apply to these signatures, for example unlimited "x=" tag expiration.

  Informative remark: Such fields offer a cryptographically verifiable message state authentication contract: for as long as the ("local") "s=" selector announced key is available, the message state at the time it entered the "local" email processing system is assurable by for example user interfaces.

  All signature instances with this flag set MUST be removed when messages enter and leave the email system. This is meant as simple: if the flag is set, remove the field.

  Informative remark: If a local "I" message is removed on egress, the newly generated DKIX-Sig: overtakes its logical flag subset.

  L

  This hop announces that it supports the SMTP extension STARTTLS. The flag MUST only be set if any incoming SMTP connection will reach a TLS-enabled endpoint. Author remark: "Dies mein Abendgruss folgend dem SRV DNSSEC Blues" ("here my evening greeting following the SRV dnssec cheatin'").

  N

  The hop detected an unprotected or "irregulary changed" SMTP envelope (compare the mutual exclusive "O" flag), but the message will be accepted, necessarily alongside the "Z" flag. Some non DKIM/ACDC aware hop changed the SMTP envelope. If there is a DKIX-AC: header field, the access control check MUST instead fail if (at least the domain of) the MAIL FROM is unchanged. The "E" flag has to be set.

  Informative remark: Except for messages with "sequence" 1 the "N" state is usually mitigated , causing the "O" flag condition.

  O

  This hop claims the message origin. This either means that the message originated at this hop, in which case the signature (usually, DKIM-typical) refers to the first address of the From: header field, and the "sequence" is 1. Or it means the current hop was the, quoting , "final delivery for the [original] message", that the message got a "new envelope return address", that is, the MAIL FROM of the SMTP envelope was changed. In this case the "E" flag has to be set.

  P

  Postmaster mode. With this flag set the behavior of DKIM/ACDC borders test mode in that rejections must not occur (due to DKIM/ACDC). This is to allow for a communication possibility window in a situation where messages would always be rejected, due to misconfigurations et cetera, and as such reflects SMTP section 4.5.1 Minimum Implementation. If the "sequence" is 1, message recipients have to be inspected. If the IMF header fields To: and Cc: only contain a single addressee with the local-part postmaster, and if the same "postmaster" is addressed as the only SMTP RCPT TO recipient, then the "P" flag has to be set. Once set, all future DKIM/ACDC signatures must copy it. It MUST, however, be removed when in conjunction with the "E" flag the according SMTP envelope conditions are no longer satisfied.

  R

  Reputation check to collect organizational trust (, section 2.5) along the signature chain was performed. On top of the "V" (and possibly "A") flag(s) this means that all differential changes have been applied, and all signatures (at least one per "sequence") along the chain have been verified, and the entire chain validated correctly. Only in signatures with a "sequence" greater than 1, and without the "z" flag.

  Informative remark: The presence of "R" reveals local state publically; however, in a chain of trust this seems desirable even. The use of organizational trust may for example mean to perform full reputation checks more and more sparingly, the higher the trust, falling back to only random checks. (For a more complete example, see , section 2.5.)

  S and s

  Only in conjunction with the "I" flag: upon ingress the SPF state was, or was not, respectively, successfully verified.

  Informative remark: From DKIM/ACDC's point of view SPF is legacy, and it actively mitigates it to transpose trust to DKIX-AC: (also see the "N" flag). With DKIM/ACDC SPF users can announce the strict -all mode that allows SPF verifiers to apply policy.

  T

  This hop requires complete trust to be put into its signature. In general all DKIX-DC: header fields were removed, applying changes for verification of elder signatures is therefore impossible. Corresponding additional flags have to be set, like "Z". Please read about the "t" flag.

  t

  This is like "T", except that DKIX-DC: header fields are not (yet) removed, so that elder signatures (to the extend as indicated by the usual DKIM/ACDC flag machinery) can be verified.

  Informative remark: the "T" and "t" flags are meant to adapt to operational reality. There "trusted proof points" are hired to handle email, to apply all the necessary checks for, and removal of spam, malicious, dangerous, or otherwise undesired message (MIME part) content, before passing the results further to their real recipients. As of today only the "equivalent of T" is a known mode of operation; DKIM/ACDC, however, allows for a new business model via "t": the "trusted proof point" readily prepares messages just like today, but also creates and includes a DKIX-DC: header field to undo these modifications, as well as keeping all elder DKIX-DC: header fields intact. (Read: simply through the normal DKIM/ACDC mode of operation, except for setting the "t" flag in addition.) Turning a "t" message into a "T" message practically means nothing but removing the DKIX-DC: header fields: an operation that can fastly and safely be performed by simplemost command line utilities or scripting languages, thanks to the plain-text nature of SMTP, of IMF messages. DKIM/ACDC aware software MAY also offer a mode which removes DKIX-DC: header fields after the signature verification step (and creation of an "I" signature) for messages tagged "t" coming from a configurable "trusted proof point".

  Informative remark: because DKIX-DC: header fields are covered by the "dch=" hash, removing them still allows for successful signature verification, simply by trusting the original "dch=" checksum. DKIM/ACDC's "t" flag allows customers to perform a complete "R" reputation check on data delivered by "trusted proof points". (To be written or extended message access software could also be allowed to access more portions via DKIX-DC:.) It is only their users verifying "I" ingress signatures who have no option but putting trust into "dch=" hashes.

  V

  DKIM/ACDC signature verified successfully. The signature with the highest "sequence" has been verified correctly, the (otherwise untested) DKIM/ACDC signature chain is complete, and their flags make sense (in the sequence). In conjunction with the flag "R" even deeper inspection was performed. If multiple signatures with the same highest "sequence" exist, the verifier behavior is unspecified in that "V" signals success: at least one signature was checked, and all tested signatures verified successfully. If however all signatures were verified, the "A" flag SHOULD be set; in single-signature cases the "A" flag MAY be omitted. Only in signatures with a "sequence" greater than 1.

  v

  DKIM signature verified successfully. In signatures with "sequence" 1, then missing the "O", but with the "N" flag, it means the message originated at a non DKIM/ACDC aware hop, and normal DKIM processing was performed and succeeded. If the signature covering "RFC5322.From" verified the "Z" flag must be set, otherwise "z". In messages with a higher "sequence" it comes alongside the "X" flag: necessarily the DKIM/ACDC chain was broken, and the message changed, by an intermediate non DKIM/ACDC aware hop. The "z" flag must be set.

  X

  DKIM/ACDC verification failed. Also see "v" and "x" flags. The "z" flag must be set.

  x

  "Plain old DKIM verification" failed, or there was no (more) signature to verify. In signatures with "sequence" 1, then missing the "O", but with the "N" flag, it means the message originated at a non DKIM/ACDC aware hop, and normal DKIM processing was performed and failed. The "z" flag must be set. Otherwise, with an existing DKIM/ACDC chain, it comes alongside the "X" flag: necessarily the chain was broken, and the message changed, by an intermediate non DKIM/ACDC aware hop. The "z" flag must be set.

  Y

  The message has seen IMF modifications: somewhere along the chain the message data was modified. Once set, all future DKIM/ACDC signatures must copy it.

  y

  The message has seen SMTP envelope modifications: somewhere along the chain the envelope was modified. Once set, all future DKIM/ACDC signatures must copy it.

  Z

  Announces the DKIM/ACDC chain is incomplete. The message was processed by DKIM/ACDC unaware hops. However, the message verifies correctly and seems to have never been modified non-reversibly. Once set, all future DKIM/ACDC signatures must copy it, unless later downgraded to the "z" flag.

  z

  The message has seen non-reversible modifications, and cannot be cryptographically verified back to its origin. Once set, all future DKIM/ACDC signatures must copy it. When a message newly enters, or "reenters", the "z" state, all existing DKIX-DC: header fields MUST be removed.

  Informative remark: Often "z" signals a condition that MUST cause message rejection, for example in conjunction with the "x" flag. Local policy MAY behave differently for certain conditions, but SHOULD NOT, as the flag combination may reduce the hops organizational trust (, section 2.5).

  "id"

  The optional "message and bounce identifier" offers enough room for Universally Unique IDentifiers.

  Informative remark: It MAY be generated to help sending domains to uniquely identify messages within the "t=" and "x=" time delta, as well as to ensure that successively sent identical messages are not detected as being the same. It MUST be generated if the signature does not cover a Message-ID: header field, and it SHOULD be used if the uniqueness of the "msg-id" is dubious.

  Informative remark: Receiving domains SHOULD NOT use this identifier due to the denial of service attack surface, regardless of collected organizational trust.

  Unknown flags MUST be ignored. Invalid flag combinations and flag misuse, as far as detectable, and false "hfdb-bits" specifications MUST result in rejection with SMTP reply code 550; if enhanced status codes are used, 5.5.4 MUST be used.

Informative remark: In order to achieve locality it is suggested to "privately encrypt" data passed around in this temporary header field.

Informative remark: MTA-integrated DKIM/ACDC implementations can create perfect fit DKIX-AC: header fields only for recipients truly accepted by the receiving MTA (not hindering even SMTP pipelining), and use successive transmissions until all recipients have been worked.

Informative remark: The now mandatory and constrained "x=" tag allows for finite identity cache sizes.

Informative remark: Perfect fit DKIX-AC: header fields can create write-once cache entries.