Hi Mark,
At 18:11 16-02-2006, Mark Delany wrote:
Not that I know when r= should be used, but, it strikes me that having
an r= specify an address outside of the domain in question is a
potential for DOSing some innocent third-party.
"r=" is used for reports and inquiries regarding the signing
policy. Currently, there is no restriction on the email address for
that tag. Some implementations of DKIM send out an automated message
to notify the signer of verification failures. There is a well-known
domain which sends out an automated reply on receipt of messages to
the reporting email address. The "r=" tag can easily be misused.
So, should r= only specify a localpart and the domain is implied by
the domain being queried, or if r= specifies a complete address,
should the domain be constrained to be in the policy query domain or
below?
The "r=" tag should be restricted to email addresses within the SSP
domain being queried. The host part of the email address should be
constrained to be within the SSP domain. You can then use email
addresses such as abuse(_at_)example(_dot_)com or abuse(_at_)reporting(_dot_)example(_dot_)com(_dot_)
Regards,
-sm
_______________________________________________
NOTE WELL: This list operates according to
http://dkim.org/ietf-list-rules.html