Let's say that ietf-examples(_at_)foo(_dot_)example is a mailing list that
re-signs mail sent to the list (or it could be a forwarder or
similar agent).
[ same old example of lists and individuals sharing a domain ]
It's the same old answer, if the list is a different mailstream,
use a different signing key. We could also argue about the wisdom
of a domain publishing dkim=all when it knows that its users send
mail through lists and forwarders that are likely to break the
signature.
I do not like the idea of "just change someone's domain" or "just
change the list's domain" because it has always been DKIM's goal to
operate with existing addresses.
Nobody I know is suggesting that. You use a different d= signing
domain for the mailing list mail. As Steve Atkins recently pointed
out, the signing domain doesn't even have to exist other than the key
record, so this requires one (1) extra TXT record in the DNS. It
doesn't strike me as a good idea to require extra complexity in the
design for the benefit of signers whose DNS ops are willing to publish
one key record but not publish two key records.
R's,
John
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html