On 9/9/10 1:14 PM, John Levine wrote: > The real problem is that we're all guessing. If everyone followed the > rules for DKIM and ADSP, it wouldn't matter what domains you used, > since the specs make it quite clear that as far as DKIM is concerned, > there's no relation between one domain and another, even if one is a > subdomain of another. So we have to try to guess in what ways people > will implement DKIM wrong and at the point, we don't have enough data > to say one way or another. > > Personally, I think you should use x.com because it's such a cool domain, > or failing that, corp.paypal.com. John,
Indeed DKIM did not concern itself with subdomains. Unfortunately, this is not a feature improving protections afforded by domain specific policies. Email administrators will recognize this failing, and likely intervene with manual filtering for more egregious cases. Such actions then mean subdomains might be impacted by unseen actions. As such, use of corp.paypal.com can potentially produce two sizable negative effects. 1) Cause an increase in the acceptance rates of spoofed mail mimicking transactional messages using corp.paypal.com. 2) Cause a decrease in the acceptance rates of legitimate corporate mail, even for those recipients that verify DKIM. Should Paypal advise users not to trust @corp.paypal.com (ADSP unknown) and to only trust @paypal.com messages (ADSP discardable)? Few would understand why. -Doug _______________________________________________ dkim-ops mailing list [email protected] http://mipassoc.org/mailman/listinfo/dkim-ops
