dkim-ops
[Top] [All Lists]

Re: [dkim-ops] subdomain vs. cousin domain (when deploying "discardable")

2010-09-09 17:15:58
  On 9/9/10 1:14 PM, John Levine wrote:
The real problem is that we're all guessing.  If everyone followed the
rules for DKIM and ADSP, it wouldn't matter what domains you used,
since the specs make it quite clear that as far as DKIM is concerned,
there's no relation between one domain and another, even if one is a
subdomain of another.  So we have to try to guess in what ways people
will implement DKIM wrong and at the point, we don't have enough data
to say one way or another.

Personally, I think you should use x.com because it's such a cool domain,
or failing that, corp.paypal.com.
John,

Indeed DKIM did not concern itself with subdomains.  Unfortunately, this 
is not a feature improving protections afforded by domain specific 
policies.  Email administrators will recognize this failing, and likely 
intervene with manual filtering for more egregious cases. Such actions 
then mean subdomains might be impacted by unseen actions. As such, use 
of corp.paypal.com can potentially produce two sizable negative effects.

1) Cause an increase in the acceptance rates of spoofed mail mimicking 
transactional messages using corp.paypal.com.

2) Cause a decrease in the acceptance rates of legitimate corporate 
mail, even for those recipients that verify DKIM.

Should Paypal advise users not to trust @corp.paypal.com (ADSP unknown) 
and to only trust @paypal.com messages (ADSP discardable)?  Few would 
understand why.

-Doug
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops

<Prev in Thread] Current Thread [Next in Thread>