-----Original Message-----
From: Murray S. Kucherawy [mailto:msk(_at_)cloudmark(_dot_)com]
Sent: Monday, September 13, 2010 3:21 PM
To: MH Michael Hammer (5304); McDowell, Brett
Cc: dkim-ops(_at_)mipassoc(_dot_)org
Subject: RE: [dkim-ops] BCP for authorizing third-parties ([...] was
subdomain vs. cousin domain)
-----Original Message-----
From: MH Michael Hammer (5304) [mailto:MHammer(_at_)ag(_dot_)com]
Sent: Monday, September 13, 2010 12:09 PM
To: McDowell, Brett; Murray S. Kucherawy
Cc: dkim-ops(_at_)mipassoc(_dot_)org
Subject: RE: [dkim-ops] BCP for authorizing third-parties ([...] was
subdomain vs. cousin domain)
There is actually another approach besides what you indicate above.
A
domain can delegate a domain or subdomain to the 3rd party and let
them
generate the keys and signature.
Yes, that's true. But both methods effectively make the third-party
signer a part of the same domain as far as DKIM goes, inasmuch as the
delegation is transparent to the verifier. So, in the end, they look
identical.
Actually not quite true Murray.
If I am signing for americangreetings.com and I delegate
email.americangreetings.com to ExactTarget (a real example) and they are
generating their own keys for email. and signing, that is a first party
signature as far as the verifier is concerned (not 3rd party).
It also doesn't integrate email. into the base domain of
americangreetings.com from a verifier perspective.
Mike
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops