dkim-ops
[Top] [All Lists]

Re: [dkim-ops] hammering with a soldering iron, was subdomain vs. cousin domain

2010-09-09 21:40:00
Ugh!  We simply have to fix the root cause of MLM's breaking DKIM signatures.

Um, the root cause is that people want DKIM to be something it is not,
was never intended to be, and cannot be.  It doesn't provide robust,
long lived signatures.  There are signing systems that do, but DKIM
isn't one of them.

MLMs have changed messages for decades.  That's not a bug, and it's
not going to change.  DKIM is designed to survive minor changes
typical of transit through an MTA, and no more.  That's not a bug,
either, and that's not going to change.

In retrospect, it was a mistake to add l= to DKIM, since it encouraged
the mistaken belief that a lot of signatures might be able to survive
a trip through an MLM.

My opinion about ADSP is hardly a secret, so rather than reiterate its
faults, let me just say that any organization that wants to use ADSP
should be prepared to bear the costs of doing so, such as making
arrangements for valuable mail to come from a different domain, as
Paypal is doing.

For the .GOV domains, I don't see anything in the dotgov.gov web site
that restricts an entity to a single domain, and I know there are
plenty of names like DONOTCALL.GOV registered to departments with
other domains (FTC.GOV in that case.)  If they really send discardable
mail and want to publish ADSP, which I'd think would be rare, they can
get different domain names.

For .EDU, I'd be surprised if many of them were phish targets, and for
the tiny fraction that might be, they have subdomains or .ORG as an
alternative for their valuable mail.

R's,
John
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops

<Prev in Thread] Current Thread [Next in Thread>