Mostly key management issues. If you use selector to ID streams instead of keys, what happens when a key needs to be updated/replaced? It can take hours+ before a change to a DNS record is propagated no matter what your TTL says. If you swap keys, any mail using that selector can fail DKIM while the receiver has the old key cached. However if you leave your old selector/key in place and start signing with a new selector/key for all new mailings, you shouldn't have the outdated DNS caching issue.
On Thu, Aug 20, 2015 at 2:17 PM, eric johnansson via dmarc-discuss < [email protected]> wrote: > > > ----- Original Message ----- > > From: "John Levine" <[email protected]> > > To: [email protected] > > Cc: [email protected] > > Sent: Thursday, August 20, 2015 1:57:19 PM > > Subject: Re: [dmarc-discuss] Still having problems with third-party > sending > > > DKIM and DMARC and for that matter SPF are not designed to > > distinguish among authorized senders for the same domain. If you want > to manage > > multiple mail streams independently, use subdomains. > > > > >- From addresses should look like: [email protected] . > > > > Use something like [email protected]. They can delegate > > email.intelli-shop.com to you, then you can set up all of the DKIM > > and SPF and DMARC stuff for that subdomain any way you want. If you look > > at the mail coming from large brands, you'll see that's pretty > > common. > > I've been looking at examples. I'm not sure how to solve the problem of > recipient perception of the subdomain. we have been so effective at > convincing people that email addresses that look different from what you > are expecting are a phishing attack and they should simply delete it that > they do not respond to our subdomain emails but still fall for real > pishing. yes, the irony is not lost on me. > > also, the DMARC third party methods seem to be aimed at solving the one > way communications problem (newsletters, bills, notices) and not where the > bulk mail is the start of a two way conversation. > > another issue with subdomains is the return address. maybe a customer can > alias one domain on top of another but that also triggers suspicion on the > part of the recipient. not sure how to handle that one. > > > DKIM selectors are for key management, not to create multiple mail > > streams visible to outsiders. You're not the first to have that > > misunderstanding but I don't know how to make it any clearer in the > > documentation. > > Maybe the "misunderstanding" speaks to a common conceptual model for > outsiders? what are the implications of generalizing selectors to > identifying different streams? > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) > -- PAUL ROCK Principal Programmer/Analyst | AOL Mail P: 703-265-5734 | C: 703-980-8380 AIM: paulsrock 22070 Broderick Dr.| Dulles, VA | 20166-9305
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
