[ietf-dkim] Are lookalike domains like parent domains?
Steve Atkins
steve at blighty.com
Wed Apr 30 12:49:20 PDT 2008
On Apr 30, 2008, at 12:27 PM, Al Iverson wrote:
> On 4/30/08, Steve Atkins <steve at blighty.com> wrote:
>
>>> It's been pointed out to me that I've confused this "treewalking"
>>> discussion by forgetting that this thread is not discussing the
>>> NXDOMAIN
>>> issue. I have done this and I'm sorry about that. I view the
>>> NXDOMAIN
>>> check as essential since it is impossible for domain
>>> administrators to
>>> deploy ADSP records for sub-domains that do not exist.
>>
>> If the goals of ADSP are what I'm guessing they are, +1.
>
> Could you all help me to understand this point in more detail. Define
> the NXDOMAIN issue for me, and how it relates to receiver filtering
> decisions. Examples welcome. (I have some idea of what I think this
> means, but I'd like to see it clarified to better understand it.)
The NXDOMAIN thing means only one thing for a receiver. Don't
accept mail that claims to be from non-existent domains.
The reason there's discussion about it is that one of the ways
in which ADSP is iffy is that it only doesn't allow you to state
"I don't send unsigned mail from any hostname that ends
in .example.com". If your domain is example.com, and I
decide to send mail claiming to be from
mail.flooble.example.com there's no way you can publish
an ADSP record to assert that that mail isn't from you, unless
you guess the magic word "flooble".
You, of course, don't care because you know there's no
hostname or MX record for mail.flooble.example.com, so
no right-thinking recipient will consider it legitimate mail
anyway.
The discussion is not over what recipient behavior in that
case will actually be (reject or discard it because it's
claiming to come from someone who doesn't exist), rather
it's over whether the ADSP spec needs to prescribe that
behavior.
Cheers,
Steve
More information about the ietf-dkim
mailing list