[ietf-dkim] Issue #1534: Applying SSP to sub-domains does not work

[Douglas Otis]

On Mar 19, 2008, at 10:17 AM, Jim Fenton wrote:

> Hector Santos wrote:
>> You need to throw way the whole idea of mandating an MX.   MX is  
>> for OUTGOING mail.  DKIM is for IMCOMING mail.
>
> We agree on this.  Sorry if my long-winded explanation of why  
> doesn't make that clear.

While email-addresses carried within a message aren't necessarily  
related to SMTP, the impetuous for DKIM is to deal with spoofing of  
publicly transmitted messages over SMTP.  While only MailFrom is  
required to be compatible with SMTP, the From is not.  However,  
development of the DKIM policy should clarify it pertains to messages  
sharing SMTP destinations.  Any originating email-address is only  
valid when the transport is able to carry the message to its  
destination.  In the case of SMTP, this requires publishing discovery  
records, which currently are MX, and A records.

>> MA applies to the x821.MailFrom domain period.  Attempting to tie  
>> to the the 2822.FROM is arkward and the proposed solution is  
>> isolated to a few systems that believe they have a total solution  
>> for the world.
>
> That's another good reason that hadn't occurred to me.

This is a good reason to specify the scope of the policy.  What other  
transports operating independently from SMTP will make use of DKIM  
ADSP policy records?  Once those attempting to discover policy are  
able to understand the policy only relates to SMTP sources and  
destinations, then and only then can discovery records play a role in  
validating the domain.  If there is to be any hope in defending the  
DKIM process, determination of a valid domain is likely to be  
essential.  As abuse increases, this aspect of the SMTP protocol  
becomes increasing critical.

-Doug