dkim-ops
[Top] [All Lists]

[dkim-ops] subdomain vs. cousin domain (when deploying "discardable")

2010-09-03 11:12:40
Hello everyone, this is my first post to the list.  I am a new subscriber.

I have been asking opinions from other DKIM deployers about "best practice" 
regarding some changes we are considering/testing at PayPal.

As background: 
-- We DKIM sign all mail from paypal.com (and other consumer-facing domains) - 
no change planned
-- We have ADSP=discardable for paypal.com, etc. - no change planned

But, some employees need to use external mail lists so we are setting up an 
alternative sending domain:
-- paypal-inc.com does not have ADSP=discardable (but we may publish an 
ADSP=all for it, TBD)
-- corp.paypal.com is another consideration vs. paypal-inc.com... any opinions 
about which is "better"?

Some considerations on my mind regarding  paypal-inc.com vs. corp.paypal.com 
are:
-- paypal-inc is a "cousin domain" which some feel is a bad idea to legitimize, 
i.e. users should be conditioned to distrust anything other than your well 
known brand.
-- some DKIM enforcement policies require the same treatment for all subdomains 
as the top domain, so having paypal.com = discardable and corp.paypal.com = all 
would "break" these systems
-- there are other security and operational considerations that benefit from 
moving enterprise functions off of the consumer-facing domain and therefore 
moving the mail streams along with the app servers is at least convenient


Anyone here have an informed opinion on which way to go?  I've heard opposing 
views from very savvy and experienced deployers so I thought it would be a good 
discussion topic for this mail list.

Best Regards,


---
Brett McDowell, Technology & Policy Evangelist
PayPal Information Risk Management


_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops