On Sun, 30 Jan 2022, Alessandro Vesely wrote:
Let me ask if the following scenario is possible at all:
.BANK admins decide to setup a DKIM signing service for .bank domains. They
register dkim.bank, and accept and relay messages originating from their
customers, signing them with d=dkim.bank. (Compare to onmicrosoft.com?)
Sounds like a bad idea, but OK for now ... I note that onmicrosoft.com is
an MTA farm, and they have ways to apply valid customer DKIM signatures if
they want to.
They may consider that a tangible way to protect .bank domains.
No, they won't. See below.
Will that work to validate, say, mail From: [email protected]?
No, of course not. dkim.bank is no different from any other domain
registered under .bank.
Scott knows better than me, but my understanding of PSD is that it's a way
to check wheter registrants have published the DMARC policies they are
supposed to, and to provide a backstop until they do, not another way to
try and circumvent broken configurations.
PSDs only make sense in TLDs (or TL-ish Ds) that have a strong enough
relationship with their registrants to require DMARC policies. That's one
of the many reasons you'll never see a PSD in .com or .org or .hockey.
Regards,
John Levine, [email protected], Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
