Bill(_dot_)Oxley(_at_)cox(_dot_)com wrote:
I would suggest that DKIM operates between the signing MTA and the edge
boundary MTA of the receiving domain that is the certifier of DKIM
signatures which may be a smart MUA but is more likely a filtering MTA
at the ISP.
This is the sort of question that prompted my to add the construct of
Administrative Management Domain (ADMD) to the Internet Mail Architecture draft
<http://bbiw.net/specifications/draft-crocker-email-arch-05.html>
DKIM is envisioned as having signing done within an originating ADMD -- that is,
within a trust boundary associated with the author or at least with the author's
email posting service, and having validation done by a similarly-scoped
environment at the recipient end. (Validation by intermediaries is fine, but
hasn't been a focus.)
Exactly which host within an ADMD will do signing or validating is not
constrained by DKIM's design.
There are operationally realities that will constrain the choices for many
ADMDs, but this is not a matter of DKIM design, but rather of handling (or
perhaps MIShandling) behaviors within the ADMD.
Any other statements about host choices are a matter of preference, rather than
need. That the statements might prove true doesn't make them less an
administrative choice.
So, yeah, a scenario that is viewed as highly likely is signing by the outbound
boundary MTA and validating by the inbound boundary MTA. Lots of good reasons
for do that that. None of them makes this scenario mandatory, however.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html