John Levine wrote:
Could someone please explain the nature of the problem that would
exist when these (financial) institutions can't selectively add
DKIM signatures to outbound email? Engineering is about balance,
but I haven't heard enough to make the trade off yet.
I think the alleged problem that putatively needs to be solved is that
bigbank.com somehow manages to get signing in place for their
employees whose names start with A through M, but hasn't get gotten
around to doing so for N through Z and wants to tell the world that it
signs all ofthe A through M.
That may be a use (though pretty unlikely to me), but the use case that I've
heard of is more aimed at securing things like statements(_at_)bigbank(_dot_)com
without
having to say "I sign everything" for the entire domain which is assumedly a
lot harder. The thing about this is that you can alternately set up a
record for
statements(_at_)accounts(_dot_)bigbank(_dot_)com or somesuch which would work
the same way.
I've heard it expressed that that is problematic for some people, but I
frankly don't
remember why at this point. Hopefully somebody can remind me.
Mike
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html