[ietf-dkim] Keys vs. Reputation
dotis at mail-abuse.org
Mon Aug 21 22:48:58 PDT 2006
On Mon, 2006-08-21 at 22:29 -0400, Wietse Venema wrote:
> Douglas Otis:
> > When Big-Bank.com is coerced into using subdomains to partition their
> > messages, their customers will see more complex domain names within
> > the email-addresses and might become confused by what they see.
> > Perhaps this might be subdomains like:
> > local-part at Employees.Big-Bank.com
> > local-part at Services.Big-Bank.com
> > local-part at New-Accounts.Big-Bank.com
> > local-part at Promotion.Big-Bank.com
> > local-part at Western-Region.Ads.Big-Bank.com
> > etc.
> No, the SIGNER uses different d= domains in the signature HEADER.
When DKIM fails to offer a means to assure the validity of the
2822.From address, then an important goal has been missed. The use of a
subdomain for signing removes an ability to indicate with the i= syntax
that the 2822.From is assured to be valid.
It is possible to list a subdomain (or any other domain) as a designated
domain within the 2822.From policy. This policy could assert the listed
designated domains assure the 2822.From addresses are valid ("as-if"
they were a 1st Party domain). In this case however, accessing policy
is required to obtain an assurance the 2822.From is valid. : (
On the other hand, a convention using the s= selector still allows a
means to partition the domain, allow the signature to directly make an
assertion that the 2822.From is valid, and offer multiple keys per
d=domain. This is achieved without needing to obtain policies or
altering the email-address.
More information about the ietf-dkim