[ietf-dkim] Are subdomains like parent domains?

[Al Iverson]

On 4/29/08, J D Falk <jdfalk at returnpath.net> wrote:

> IMHO the thing about phishers forging nonexistant domains is a
> non-issue.  I can not imagine any circumstances where a nonexistant
> domain with no possibility of an ADSP statement will be given the same
> privleges as an existing domain that does have an ADSP statement.  I can
> much more easily imagine someone setting up newservice.example.com
> without realizing that their new service falls under example.com's ADSP
> statement, thus causing general bad feelings about ADSP and DKIM in
> general.

Could I ask you to theorize for me for a moment? Pretend you're a
receiver who sets your own policies, and pretend you're giving it the
kind of thought that a Hotmail or Yahoo would hopefully give to it.

OK, let's assume ADSP has no "tree walking" or "subzone inheritance" feature.
A sender is sending legitimate mails with customercare.bigbank.com
with DKIM and an ADSP policy.
If a phisher sends mail with a PRA of customer-care.bigbank.com, that
would not be signed, and it would not fall under any ADSP policy.

In your perfect world, as an imaginary receiver, how would you discern
between the two sets of messages? What DKIM or ADSP-related measure
could you make that would make it easier for you to can the phishing
mail?

I guess I'm even making an assumption that you would care to do that.
Would you? If not, why not?

If not, what do you theorize the operational objective of ADSP should be?

Al
-- 
Al Iverson on Spam and Deliverability, see http://www.spamresource.com
News, stats, info, and commentary on blacklists: http://www.dnsbl.com
My personal website: http://www.aliverson.com   --   Chicago, IL, USA
Remove "lists" from my email address to reach me faster and directly.