[dkim-dev] ATPS v01 - Sub-domains support
hsantos at santronics.com
Thu Sep 30 11:13:25 PDT 2010
We been reorganizing our domain usage, such as creating sub-domains
for particular usages, especially with DKIM and POLICY in mind.
For example, for domain example.com, the following might be signers.
So in the ASL logic, it supports sub-domain wild cards.
In this case, the ATPS v01 records would be:
IIDVI2YBMIIYPV4TLUQNC7KEVXATJDGE._atps TXT ("v=atps01;
6IR5HAYLK26EPDXOU2OFB4H3IZQS2HFR._atps TXT ("v=atps01;
7LL2CJ2APW7WS3B4DWNKS3Q4XYGIBOPZ._atps TXT ("v=atps01;
But what if we allow ATPS for a wild card hash?
RRYSFVSSZN56ELIZQ3Y7GCYH7VIQRWOA._atps TXT ("v=atps01; d=*.example.com;")
that way only one record is necessary for all the sub-domains of
Do you see any faults with this?
The goal would be to make less of a DNS management and update issue
for domains that add new sub-domain signers perhaps.
The query rule would be:
if the signer-domain is a subdomain of the author-domain, then
check the ATPS record for *.author-domain.
if not found, check the ATPS for the signer-domain.
Besides what looks like "more DNS" lookups, the idea would be good for
a primary domain which has many sub-domain signers.
Could we optimize it with the atps= tag;
the s character would mean an author-domain sub-domains wild card
record can be checked. Otherwise only 1 record per signer is expected.
More information about the dkim-dev