DKIM-Signature:
 - allow version tag (DONE)
 - accept q=dns/txt (DONE)

DKIM Public Key Records:
 - enforce t=s option (if present)

Verifier:
 - verify multiple signatures (ietf05 6.1) (DONE)
 - check that From header is signed (ietf05 6.1.1)
 - check public key "granularity"
 - handle no response from first DNS server listed in resolv.conf
   (currently it goes to the second server after 5 seconds,
   but it does this for EVERY signature, so this will badly affect
   overall throughput)
 - **minor bug**- when Debug_Canonicalization=1 on a message with
   multiple signatures, the canonicalized output is recorded multiple times.
   Probably only the first valid signature should receive the
   Debug_Canonicalization option
 - provide semi-standard mechanism to report results of verification
   (including what, if any, of header.from and header.sender can be trusted)
 - provide mechanism in the API to run the DNS lookups in parallel with
   other processing (e.g. the SpamAssassin plugin would want to start the
   DNS queries as early as possible, but continue processing other aspects
   of the message while waiting for the DNS queries to complete)

Signer:
 - allow DomainKeys signatures without using a policy object
 - allow adding chained signatures in one pass
   (e.g. allow adding a DomainKeys signature, and a DKIM signature,
   with the new DKIM signature signing the new DomainKeys signature) (REJECTED)
 - allow creation of i=, l=, t=, x=, and z= tags
 - do header-wrapping to signature before signing
 - allow signer policy to change which private key is used

Testing (some of this may already be implemented):
 - test public key errors:
   - DNS timeout
   - SERVFAIL
   - syntax error in public key record
 - test DNS timeout for signing policy
 - test signature options:
   - unspecified query type
   - query type of "dns/"
   - bad query type
   - bad algorithm
   - unspecified algorithm
   - bad canonicalization
   - unspecified canonicalization
   - test presence of version tag in signature
 - IMPORTANT- allow `make test' to work when DNS is not available

Possible issues in base-10 draft:
 - 6.1.2 - check g= tag of public key against i= tag of signature
 - 6.1.2 - check h= tag of public key against a= tag of signature
 - 3.5 - t= tag, create it when signing messages, check it when verifying
 - 3.5 - x= tag, create it when signing messages, check it when verifying
 - 5.4 - allow better control of which headers to sign
 - 5.5 - recommended headers to sign and NOT to sign
 - 3.3.1 - what's an RSA exponent?
 - 6.1.1 - configurable list of unacceptable signing domains,
       e.g. "com" and "co.uk"
