On 9/13/10 12:40 PM, MH Michael Hammer (5304) wrote:
There is in fact a significant difference between handing your
private key to a 3rd party and delegating a subdomain. While to you
as a verifier, it may be just another domain, to myself as a sender
and signer it is a significant difference in terms of management and
Delegating a subdomain below _domainkey to a third-party would allow
them to generate their own DKIM keys, but it also means they will
control the content of the key record. This becomes more risky when
more services start utilizing DKIM public keys. Any domain below
_domainkey could be delegated, but users and recipients will likely pay
attention to the domain used in email, and even then are likely to
obtain the same whois information for the email and the selector
domain. A verifier could examine the location of the key selectors, and
might notice different SOA and NS records. Are you suggesting these
records should be checked for every component of a domain's email
Things like TPA or DSAP attempt to make the delegation of
authority visible, but the ones that use DNS mechanisms like
CNAME and NS don't do so.
You are correct. I forget that many in the mail community do not know
how to use tools such as dig.
Should verifiers check to determine whether the DKIM keys have different
SOA and NS records than the MX record?
What would it mean when all of these domains are different?
dkim-ops mailing list