I'm slightly confused. I have a strong sense that the d= tag should be the same between the AS and AMS within an ADMD. I can absolutely see why the s= might legitimately vary. However, I can't seem the harm in the d= tag differing. If the signatures validate, why should this matter?
Might this be simpler with language like "it is RECOMMENDED that the d= value match between the AS and AMS, as any receiver might look at a mismatch as suspicious." i.e. Don't outright deny because maybe there's a legitimate reason to do this that hasn't been discovered, and leave it up to receivers how to deal with this? Seth On Thu, Jun 1, 2017 at 4:05 AM, Kurt Andersen (b) <kb...@drkurt.com> wrote: > On Thu, Jun 1, 2017 at 12:10 PM, Murray S. Kucherawy <superu...@gmail.com> > wrote: > >> On Wed, May 31, 2017 at 6:23 PM, Kurt Andersen (b) <kb...@drkurt.com> >> wrote: >> >>> There's another question that had been raised by Seth about whether d= >>> needs to match within an ARC set. The answer is yes, [...] >>> >> >> Why? >> >> -MSK >> > > If an ARC-set is created by a single ADMD, I think it's reasonable for > that ADMD to identify itself in a singular manner, though I suppose we > could have recourse to our favorite "org domain" alignment instead of > strict matching if you think that's better. I think that strict d= matching > is simpler and less likely to be misused/broken. > > --Kurt > -- [image: logo for sig file.png] Bringing Trust to Email Seth Blank | Head of Product for Open Source and Protocols s...@valimail.com +1-415-894-2724 <415-894-2724>
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc