On Mar 11, 2009, at 1:26 PM, Michael Thomas wrote: > Steve Atkins wrote: >> If there were another field in the DKIM-Signature header, or an >> entirely separate email header covered by the DKIM signature, that >> stated "all email sent using this domain in the From field will be >> DKIM signed" then any receiving MTA or MTA cluster could keep track >> of that state (probably using their existing reputation tracking >> system in the case of large receivers, and using a fairly trivial >> extension to their DKIM plugins in the case of smaller ones). > > If nothing else, this would make revocation sort of... bizarre > and unpredictable. The implication is that I'd have to send $you > mail (for $you == 'universe') to get you to nuke my record in your > database. Of course every good protocol becomes a control protocol > for others, but still this seems a little whacked even by that > standard :)
The only affect of the record is to reject mail that claims to be from me. If I never send you legitimate email then it'll never be an issue. If I send you legitimate email that's DKIM signed, then that includes the revocation. I'd presume there'd be some sort of TTL included, probably in the 2-13 month sort of timescale. So you'd just have to keep signing all your outbound email with DKIM for a little longer than that TTL. Cheers, Steve _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
