This is interesting, however it seems to me that DMARC should be more aware of it if used.
I would suggest to sign with a sub domain. This would keep alignement, but would allow you to see which DKIM signature worked. Once both DKIM signature work, you would not need the delegated one. I think DMARC should be made aware, so that it apply some constraints on when this signature is used/valid. May be only when there is a List-ID or List-Post header present, and the list has DKIM signed the whole message with its domain. It would require MLM to not drop DKIM headers... Still some configuration on MLM side, but less in the way messages are modified ----- Original Message ----- From: "Dave Crocker" <[email protected]> To: [email protected] Sent: Saturday, June 7, 2014 12:43:57 PM Subject: [dmarc-ietf] Fwd: New Version Notification for draft-kucherawy-dkim-delegate-00.txt Folks, I've been stewing on this idea for awhile and Murray pressed to get it into writing, adding his usual, significant enhancements to the original concept. We've gone a couple of rounds before releasing it, but it's still nascent enough to warrant gentle-but-firm handling. In other words, comments eagerly solicited. d/ -------- Original Message -------- Name: draft-kucherawy-dkim-delegate Revision: 00 Title: Delegating DKIM Signing Authority Document date: 2014-06-07 Group: Individual Submission Pages: 10 URL: http://www.ietf.org/internet-drafts/draft-kucherawy-dkim-delegate-00.txt Status: https://datatracker.ietf.org/doc/draft-kucherawy-dkim-delegate/ Htmlized: http://tools.ietf.org/html/draft-kucherawy-dkim-delegate-00 Abstract: DomainKeys Identified Mail (DKIM) permits a handling agent to affix a digital signature to an email message, associating a domain name with that message using cryptographic signing techniques. The digital signature typically covers most of a message's original portions, although the specific choices for content hashing are at the discretion of the signer. DKIM signatures survive simply email relaying but typically are invalidated by processing through Mediators, such as mailing lists. For such cases, the signer needs a way to indicate that a valid signature from some third party was anticipated, and constitutes an acceptable handling of the message. This enables a receiver to conclude that the content is legitimately from that original signer, even though its original signature no longer validates. This document defines a mechanism for improving the ability to assess DKIM validity for such messages. -- Dave Crocker Brandenburg InternetWorking bbiw.net _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
