On 8/3/09 5:28 PM, hector wrote:
The near issue has already come up and the end-result - NO. A
customer was asked by their direct marketing spammer to add DKIM/DKEY
records because YAHOO was forcing the issue on the spammer to access
YAHOO recipients.
They wanted to signed:
coupons.majorcompany.com
and ask the company to add DNS selector records. But the major
company did have a way to stop fake or 3rd party
majorcompany.com
dept.majorcompany.com
services.majorcompany.com
signatures once bad guys learned that the domain was being signed!
Since DKIM lacks fault detection, the answer was no.
The g= tag within the key could limit the local-part of the i= value
found in the signature header, but would not prevent the use of
subdomains. This would mean that g=noreply would allow:
noreply(_at_)coupons(_dot_)majorcompany(_dot_)com
noreply(_at_)dept(_dot_)coupons(_dot_)majorcompany(_dot_)com
noreply(_at_)services(_dot_)coupons(_dot_)majorcompany(_dot_)com
and even without the g= restriction the key would not allow:
majorcompany.com
dept.majorcompany.com
services.majorcompany.com
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html