Inconsistent "Authentication-Results" of mailbox servers seems potentially risky
Currently, the mailbox SMTP server seems to apply the "Authentication-Results" header only if DKIM signatures were found. This can be a problem when enabling Auto PGP, where an e-mail client may be configured to rely on the headers instead, and given an attacker can inject "Authentication-Results" further below in the return path as well.
In practice, the e-mail IMAP clients I tested simply seem to check whether any "Authentication-Results: ... dkim=pass" header is present in absence of any specifying "none" or "fail". They seem to do this even if there's not even a DKIM signature present. This seems to mean if the mailbox SMTP doesn't always set "Authentication-Results", a client might blindly trust an attacker-injected one even in absence of a valid DKIM signature.
Unless I'm missing something, mailbox should probably always inject "Authentication-Results", e.g. via OpenDKIM's AlwaysAddARHeader.
I like this idea 
Replies have been locked on this page!