This is really much simpler than you're making it out to be.
I understand the issue here, but part of the point of DKIM/ADSP is to allow
automated systems to assign reputation to an email domain or email address
- a byte string.
For DKIM, that's basically right, it ties a domain to a mail stream so
receivers can assign a reputation to the mail stream. For ADSP that's
completely wrong, all it does is allow senders to make assertions that
receivers may or may not find credible or useful, but that have
nothing at all to do with managing the mail stream's reputation.
(Remember that ADSP only applies to mail not in the signed mail
stream.)
It might be nice if paypal could publish in the DNS a set of related
domains, that it is willing to share the reputation of paypay.com
Why would they do that? Remember that DKIM is not SPF nor Sender-ID,
and you can put your domain's signature on any mail you send. Paypal
signs their mail with paypal.com. If I send you a Paypal payment,
they will send you a mail with my return address announcing the
payment. That message is signed with d=paypal.com because Paypal
takes responsibility. (They really do this, I just tried it.)
Positive reputation could flow from paypal.com to the shared domains, and
negative reputation in the reverse direction.
Positive reputation flows from paypal.com to the mail they sign. If you
think they need a lot of signing domains, you're misunderstanding the
way that DKIM works.
R's,
John
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html