This was just discussed in a thread with Jim Fenton last week (although
from the DNS angle).
The tl;dr is that we don't believe they'll ever be different, but there's
no technical reason to require d=/s= alignment between AS/AMS for the same
i=.
We can foresee places where separate signing domains could make sense, such
as the AS being signed by an organization, and the AMS by the service
within that organization that performed the modification. For instance, AS
d=example.com, AMS d=examplelists.com.
This seems to be something that will become clear with data: does everyone
sign with the same domains? Are there clear use cases where people want to
use different domains?
Since there was no technical reason to go either way, and requiring
alignment gave no benefit but added additional normative language to the
text, we decided to hold off and instead call out a recommendation to keep
them the same ("a receiver might treat a different domain between AS/AMS as
suspicious") in the usage guide until real world observations changed said
guidance.
On Fri, Jul 27, 2018 at 10:24 AM, John Levine <jo...@taugh.com> wrote:
> The ARC draft clearly says that every ARC header can be signed by
> whatever domain you want.
>
> I understand what that means technically, but I don't understand the
> semantics of an ARC set where the AMS and AS are signed by different
> domains.
>
> R's,
> John
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
