On Sun, Apr 05, 2009 at 12:21:51AM +0100, John R. Levine wrote: >>> One of us should send in a separate technical erratum saying that DKIM >>> key records SHOULD be published only for SDID domains that have >>> corresponding MX or A records and can receive mail. >> >> I believe your later posting on this retracted the suggestion, but this >> issue >> strike me as one that is very easy (and common) to misunderstand. So it's >> worth emphasizing. Might be worth adding tidbits to the Deployment draft? >> >> The d= domain name is permitted to have /no relationship/ to any >> mail-sending >> or mail-receiving domain name. Hence, no A, MX, or possibly /any(!)/ DNS >> resource records for the name. > >Right. You have to control the branch of the DNS tree where the d= domain >would exist, since you need that to be able to install the key records, >but the domain doesn't have to exist otherwise. Once you remember that >the big advance of DKIM over its predecessors is to separate the signing >domain from the domains in various other headers, this is clearly the >right way for it to work.
+1 my thinking has always been 3243242.rep.example.net. -- Jeff Macdonald [email protected] _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
