[dkim-dev] ATPS v01 - Sub-domains support

Hector Santos hsantos at santronics.com
Thu Sep 30 11:13:25 PDT 2010


Murray,

We been reorganizing our domain usage, such as creating sub-domains 
for particular usages, especially with DKIM and POLICY in mind.

For example, for domain example.com, the following might be signers.

    list1.example.com
    list2.example.com
    dkim.example.com

So in the ASL logic, it supports sub-domain wild cards.

    asl=*.example.com

In this case, the ATPS v01 records would be:

IIDVI2YBMIIYPV4TLUQNC7KEVXATJDGE._atps  TXT ("v=atps01; 
d=list1.example.com;")
6IR5HAYLK26EPDXOU2OFB4H3IZQS2HFR._atps  TXT ("v=atps01; 
d=list2.example.com;")
7LL2CJ2APW7WS3B4DWNKS3Q4XYGIBOPZ._atps  TXT ("v=atps01; 
d=dkim.example.com;")

But what if we allow ATPS for a wild card hash?

RRYSFVSSZN56ELIZQ3Y7GCYH7VIQRWOA._atps  TXT ("v=atps01; d=*.example.com;")

that way only one record is necessary for all the sub-domains of 
example.com.

Do you see any faults with this?

The goal would be to make less of a DNS management and update issue 
for domains that add new sub-domain signers perhaps.

The query rule would be:

    if the signer-domain is a subdomain of the author-domain, then
    check the ATPS record for *.author-domain.

    if not found, check the ATPS for the signer-domain.

Besides what looks like "more DNS" lookups, the idea would be good for 
a primary domain which has many sub-domain signers.

Could we optimize it with the atps= tag;

    atps=ys;

the s character would mean an author-domain sub-domains wild card 
record can be checked. Otherwise only 1 record per signer is expected.

-- 
Sincerely

Hector Santos
http://www.santronics.com




More information about the dkim-dev mailing list