[ietf-dkim] Possible issue with Parent Domain logic in SSP
robert at barclayfamily.com
robert at barclayfamily.com
Tue Jan 8 10:14:46 PST 2008
I was rereading the validation algorithm last night and came across something that is either a good reason not to read these drafts at night, or a potential problem for some deployments. Among the companies I have worked with over the years it is fairly common practice to allocate a subdomain to some external party who manages some service for you. For example if you have transactional mails which you want to come from your domain but are actually managed by some third party who does billing for you you might point the NS record for billing.example.com to the third party so that they can manage the MX for that domain, the website, etc...
In reading the verification algorithm, since it assumes an SSP record is intended to cover not only the domain in the Originator address but also the parent of that domain this seems like it would create an issue for companies in this situation. Basically to enable these companies to create a STRICT record for their top level domain, they now need to be able to make assurances about something that is not directly in their control, specifically about a domain that they created with the specific intent that it be managed by someone else.
So if I am bank.com and have a significant problem with misuse of that exact domain and want to use SSP to help mitigate that risk but I have allocated a subdomain to some third part (say thirdparty.bank.com) it looks like my choices come down to
1) Publish SSP with dkim=unknown until thirdparty creates their own SSP record for thirdparty.bank.com
2) Take thirdparty.bank.com back from thirdparty and manage the DNS for whatever services they provide myself
3) Publish ssp with dkim=strict and let mail for thirdparty fail to be validated
I understand the operation efficiency that is created by assuming that a record for a parent domain covers its immediate subdomains but assuming that the practices of one domain apply to another seems like it may create some issues for the quality of those practice assertions.
Hopefully I have read this wrong or someone has a better solution than the three I outlined above.
Robert
_________________________________________________________________
Put your friends on the big screen with Windows Vista® + Windows Live™.
http://www.microsoft.com/windows/shop/specialoffers.mspx?ocid=TXT_TAGLM_CPC_MediaCtr_bigscreen_012008
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mipassoc.org/pipermail/ietf-dkim/attachments/20080108/f7fd4c46/attachment.html
More information about the ietf-dkim
mailing list