http://www.dkim.org/specs/rfc4871-dkimbase.html
4.1 Example Scenarios
There are many reasons why a message might have multiple signatures. For
example, a given signer might sign multiple times, perhaps with different
hashing or signing algorithms during a transition phase.
5.1 Determine Whether the Email Should Be Signed and by Whom
A signer can obviously only sign email for domains for which it has a private
key and the necessary knowledge of the corresponding public key and selector
information.
----------------
But more important:
----------------
i=
Identity of the user or agent (e.g., a mailing list manager) on behalf of
which this message is signed (dkim-quoted-printable; OPTIONAL, default is an
empty Local-part followed by an "@" followed by the domain from the "d=" tag).
The syntax is a standard email address where the Local-part MAY be omitted. The
domain part of the address MUST be the same as or a subdomain of the value of
the "d=" tag.
INFORMATIVE DISCUSSION: This document does not require the value of the "i="
tag to match the identity in any message header fields. This is considered to
be a verifier policy issue. Constraints between the value of the "i=" tag and
other identities in other header fields seek to apply basic authentication into
the semantics of trust associated with a role such as content author. Trust is
a broad and complex topic and trust mechanisms are subject to highly creative
attacks. The real-world efficacy of any but the most basic bindings between the
"i=" value and other identities is not well established, nor is its
vulnerability to subversion by an attacker. Hence reliance on the use of these
options should be strictly limited. In particular, it is not at all clear to
what extent a typical end-user recipient can rely on any assurances that might
be made by successful use of the "i=" options.
----------------
So i= and d= can be from a totally different domain than the email is sent
from. As long as the MTA has the private key and can use it to sign.
----- Original Message -----
From: "Jeff Macdonald" <jmacdonald(_at_)e-dialog(_dot_)com>
To: "Anti-Spam Research Group - IRTF" <asrg(_at_)irtf(_dot_)org>
Sent: Saturday, 10 January, 2009 2:59:07 AM (GMT+1200) Auto-Detected
Subject: Re: [Asrg] DKIM role?
On Sat, Jan 10, 2009 at 01:54:14AM +1200, Franck Martin wrote:
The beauty of DKIM is that the a federation of University could
provide a DKIM signature for all UK education centers. Ensuring you
are dealing with properly registered education centers.
What would such a DKIM signature look like?
--
Jeff Macdonald
jmacdonald(_at_)e-dialog(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg