>In order to do this by key delegation, example.com would need to obtain >a public key from exampletwo.com and publish it in its own DNS.
More likely, example.com will delegate a subzone to exampletwo.com and let exampletwo handle all of the mechanics. One possibility would be that they'd delegate something like email.example.com and exampletwo would do the A and MX as well as the keys. Another would be to delegate ex2._domainkey.example.com so they just manage (some of) the keys. As I've noted several times, the first scenario is very typical of large mailers using ESPs, many of which do DK signing now. >My opinion, if it isn't already obvious from the above discussion, is >that designation is a flawed way of delegating signing authority. Agreed. The main argument I've heard in favor of designation is that some outsourced DNS services don't let you insert your own NS records, which strikes me as a reason to find a better DNS provider, not to design a protocol around it. R's, John _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
