John Levine wrote:
It certainly is an option, and it would certainly work. But
personally, I reserve use of the words "best practice" for things that
have been shown to work better than all other options. I don't know
that that's been measured yet.
Good point... I figured someone would say it :-)
The real problem is that we're all guessing. If everyone followed the
rules for DKIM and ADSP, it wouldn't matter what domains you used,
since the specs make it quite clear that as far as DKIM is concerned,
there's no relation between one domain and another, even if one is a
subdomain of another.
But here you are expressing an opinion not everyone agrees with now
the 4871 specs say this. I don't endorse what 4871bis says about
separating the association because its another engineering conflict
and mistake. As long as the DKIM binds the 5322.From as a signature
requirement - not an option, it will always, by technical engineering
design, be an association and relationship. Yes, we all know you want
to break that relationship hence all the policy conflicts. You just
can't have software do one thing and use "words" to says it means
nothing. It doesn't work. It doesn't make sense and you will always
have that thorn on the side.
If you want to break that signature bind, then remove the 4871
requirement to hash the 5322.From header. Only then will it make
sense. But I still think you will never break the ultimate
association: From::Message that everyone sees, regardless of who signs.
Hector Santos, CTO
dkim-ops mailing list