On Sunday, January 30, 2022 11:14:18 AM EST John R Levine wrote: > On Sun, 30 Jan 2022, Alessandro Vesely wrote: > > Let me ask if the following scenario is possible at all: > > > > .BANK admins decide to setup a DKIM signing service for .bank domains. > > They register dkim.bank, and accept and relay messages originating from > > their customers, signing them with d=dkim.bank. (Compare to > > onmicrosoft.com?) > Sounds like a bad idea, but OK for now ... I note that onmicrosoft.com is > an MTA farm, and they have ways to apply valid customer DKIM signatures if > they want to. > > > They may consider that a tangible way to protect .bank domains. > > No, they won't. See below. > > > Will that work to validate, say, mail From: [email protected]? > > No, of course not. dkim.bank is no different from any other domain > registered under .bank. > > Scott knows better than me, but my understanding of PSD is that it's a way > to check wheter registrants have published the DMARC policies they are > supposed to, and to provide a backstop until they do, not another way to > try and circumvent broken configurations. > > PSDs only make sense in TLDs (or TL-ish Ds) that have a strong enough > relationship with their registrants to require DMARC policies. That's one > of the many reasons you'll never see a PSD in .com or .org or .hockey.
I believe that's largely correct. It also gives a mechanism to apply DMARC policies to non-existent domains, which has some value for dealing with unregistered entities subject to spoofing. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
