[ietf-dkim] ADSP Informative Note on parent domain signing
doug.mtview at gmail.com
Tue Apr 7 14:37:53 PDT 2009
On Apr 7, 2009, at 1:58 PM, Siegel, Ellen wrote:
> Maybe something more like the following?
> "ADSP should not be used for domains that use "i=" values to enable
> a parent domain to sign for a subdomain (as described in section 3.8
> of [RFC4871]) unless an additional signature where the "d=" domain
> matches the "i=" domain is added."
Disagree. The proposed change in the ADSP Author Domain Signature
definition is to allow the i= value to represent any sub-domain and/or
any local-part within the domain. Unless further revised, the Author
Signature definition still requires a valid DKIM signature applied by
the Author Domain. In other words, the From email-address domain
(Author Domain) and the SDID must be the the same.
The current ADSP Author Signature definition in Section 2.7 states the
An "author signature" is a Valid Signature that has the _same_ domain
name in the DKIM signing identity as the domain name in the Author
Dropping the i= value as a constraining issue was the goal. This can
be done by striking the following in
If the DKIM signing identity has a Local-part, it is be identical to
the Local-part in the Author Address. Following [RFC5321], Local-part
comparisons are case sensitive, but domain comparisons are case
For example, if a message has a Valid Signature, with the DKIM-
Signature field containing "i=a at domain.example", then domain.example
is asserting that it takes responsibility for the message. If the
message's From: field contains the address "b at domain.example", that
would mean that the message does not have a valid Author Signature.
Even though the message is signed by the same domain, it will not
satisfy ADSP that specifies "dkim=all" or "dkim=discardable".
Note: ADSP is incompatible with valid DKIM usage in which a signer
uses "i=" with values that are not the same as addresses in mail
headers. In that case, a possible workaround could be to add a second
DKIM signature a "d=" value that matches the Author Address, but no
The following could be an appropriate note:
Informative Note: A DKIM signing by parent domains as described in
section 3.8 of [RFC4871] where a parent domain signs for a sub-domain
within the From email-address will not represent an Author Domain
Signature. ADSP requires the From email-address domain (Author
Domain) and the signing domain (SDID) to be the same.
More information about the ietf-dkim