dkim-ops
[Top] [All Lists]

Re: [dkim-ops] subdomain vs. cousin domain (when deploying"discardable")

2010-09-09 08:01:47
I want to thank everyone who chimed in with their informed opinions.  
Unfortunately I'm still where I started, i.e. smart, informed, well meaning 
professionals have completely opposing views on what "best practice" is in this 
regard.

-- Brett


On Sep 8, 2010, at 3:41 PM, Hector Santos wrote:

Douglas Otis wrote:
 On 9/8/10 11:23 AM, Jim Fenton wrote:
No, I'm suggesting that they publish an explicit dkim=unknown if that is 
their intent.
It seems unlikely dkim=unknown will support their goal of ensuring most 
phishing attempts are blocked.  It also seems unlikely this assertion 
will override rules intent on eliminating subdomain spoofing not 
otherwise handled by ADSP dkim=discardable.

The TPA-Label draft attempted to avoid the dilemma created by 
dkim=discardable in respect to normal email use and its undefined 
handling of subdomains.

IMHO, their best choice is likely to keep their corporate domain 
separate from their web presence and its transactional email. 

+1.

The worst thing they can do is to have a relaxed policy with anything 
resembling their brand name and domain, especially corp.paypal.com, in 
public channels.  The unfortunate thing is that we currently warming 
up systems to view 3PS signatures as an "acceptable" idea and the only 
way to deal with it is the single source vouching of the last signer 
in the path.  That single source vouching isn't going to happen.  Not 
every verifier is going to be buying into a single vendor vouching for 
signers.

If they do 
follow your advice, their results would prove informative for others.

DKIM=UNKNOWN will only provide value for SSA (Special Signing 
Arrangement).

It will negative impact a high value domain like paypal when it begins 
to negatively warm up systems that don't have an association with a SSA.

-- 
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com


_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops


_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops

<Prev in Thread] Current Thread [Next in Thread>