[ietf-dkim] Are lookalike domains like parent domains?

[Al Iverson]

On 4/30/08, Steve Atkins <steve at blighty.com> wrote:


> The NXDOMAIN thing means only one thing for a receiver. Don't
>  accept mail that claims to be from non-existent domains.
>
>  The reason there's discussion about it is that one of the ways
>  in which ADSP is iffy is that it only doesn't allow you to state
>  "I don't send unsigned mail from any hostname that ends
>  in .example.com". If your domain is example.com, and I
>  decide to send mail claiming to be from
>  mail.flooble.example.com there's no way you can publish
>  an ADSP record to assert that that mail isn't from you, unless
>  you guess the magic word "flooble".
>
>  You, of course, don't care because you know there's no
>  hostname or MX record for mail.flooble.example.com, so
>  no right-thinking recipient will consider it legitimate mail
>  anyway.

Thanks, that's what I thought, I think.

What if the from is a subdomain that isn't being used for mail, but
commonly exists. Let's say I set up DKIM+ADSP for spamresource.com and
mail.spamresource.com. Without any sort of tree walking, if I forget
to configure ADSP for www.spamresource.com, this could potentially get
through as "doesn't have DKIM but the domain is legit." Isn't this a
potential loophole that is resolved only by a very careful vetting of
everything in your domain tree and ensuring each hostname/zone is
configured with ADSP? Or am I wrong on that?

It seems like the treewalking would help to address stuff like this....?

Best,
Al

-- 
Al Iverson on Spam and Deliverability, see http://www.spamresource.com
News, stats, info, and commentary on blacklists: http://www.dnsbl.com
My personal website: http://www.aliverson.com   --   Chicago, IL, USA
Remove "lists" from my email address to reach me faster and directly.