4.3. Scenario 3: Outsourced First Party Signing
Append:
One aspect of message handling greatly benefited by inclusion of a
DKIM signature is abuse reporting. As DKIM offers no replay
protections, the principal identifier accruing behavioral information
must remain the client IP address. As such, the domain transmitting
a message should also be the domain signing the message. This
ensures vital abuse feedback reaches the party most likely affected.
This does not happen when keys or delegations of a foreign domain are
utilized within the DKIM signature 'd=' parameter.
A domain offering either their key or a portion of their domain may
not have access to logs needed to repudiate messages they may wish to
later refute. The source of a signed message being questioned may
prove difficult to determine when a provider is entrusted to perform
signing "as-if" a first party from the perspective of the 2822.From
email-address domain.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
