On 9/6/10 7:59 PM, Jim Fenton wrote:
If you are using a subdomain and want to be doubly sure that nobody is
using the parent domain check, you might want to publish an explicit
ADSP record for the domain rather than rely on the default of
"unknown" if that is what you want to assert.
Jim,
Are you suggesting corp.paypal.com should use ADSP dkim=all? This is
still likely to disrupt some mailing-list messages that corp.paypal.com
might desire to share, and allow spoofed messages to gain acceptance
using corp.paypal.com.
How will recipients know Jon Doe <ceo(_at_)corp(_dot_)paypal(_dot_)com> is less
trustworthy than Jon Doe <ceo(_at_)paypal(_dot_)com>? Bad actors may only need
recipients to click on an attachment displayed as "paypal-policy.docx"
referencing paypal-policy.docx.exe, or a link offering details on
obtaining Referral Benefit pay-outs.
Ideally, only one domain should be used to exchange email, but currently
ADSP is unable to safely permit this practice. Unfortunately,
subdomains are nearly as confusing as cousin domains. However a
recipient is likely to be more wary of cousin domains and to recognize
paypal.com and trust its subdomains more than they should in this case.
-Doug
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops