This was just discussed in a thread with Jim Fenton last week (although from the DNS angle).
The tl;dr is that we don't believe they'll ever be different, but there's no technical reason to require d=/s= alignment between AS/AMS for the same i=. We can foresee places where separate signing domains could make sense, such as the AS being signed by an organization, and the AMS by the service within that organization that performed the modification. For instance, AS d=example.com, AMS d=examplelists.com. This seems to be something that will become clear with data: does everyone sign with the same domains? Are there clear use cases where people want to use different domains? Since there was no technical reason to go either way, and requiring alignment gave no benefit but added additional normative language to the text, we decided to hold off and instead call out a recommendation to keep them the same ("a receiver might treat a different domain between AS/AMS as suspicious") in the usage guide until real world observations changed said guidance. On Fri, Jul 27, 2018 at 10:24 AM, John Levine <jo...@taugh.com> wrote: > The ARC draft clearly says that every ARC header can be signed by > whatever domain you want. > > I understand what that means technically, but I don't understand the > semantics of an ARC set where the AMS and AS are signed by different > domains. > > R's, > John > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc