This gives the holder of the private key the ability to sign messages
for benefits(_at_)asia(_dot_)example(_dot_)com, which might be a different
addition to the intended address.
I can see where this might not be desired. The fix for this that I
would suggest would be to put something in the key record saying that
the key can't sign for subdomains. Is this worth doing?
Heck, no. This is yet another technical solution to a non-technical
problem. The company tells its provider "use this key to send mail
about our benefits program from benefits(_at_)example(_dot_)com" If they misuse
it, they revoke the validation key and say "you're fired."
If their job is to send mail with a return address of
benefits(_at_)example(_dot_)com with contents saying "your claim is denied",
would you do if the contents instead said Hot Nude Teen Babes? Why
should that be any different from what you'd do if they used an
unauthorized From: address? Why do you want to make a special case
for one particular kind of misuse of a signing key?
PS: If you think this means that I don't find i= to be very useful,
you're right, but it seems harmless enough that I see no reason to
take it out.
NOTE WELL: This list operates according to