On 8/3/09 5:28 PM, hector wrote: > The near issue has already come up and the end-result - NO. A > customer was asked by their direct marketing spammer to add DKIM/DKEY > records because YAHOO was forcing the issue on the spammer to access > YAHOO recipients. > > They wanted to signed: > > coupons.majorcompany.com > > and ask the company to add DNS selector records. But the major > company did have a way to stop fake or 3rd party > > majorcompany.com > dept.majorcompany.com > services.majorcompany.com > > signatures once bad guys learned that the domain was being signed! > > Since DKIM lacks fault detection, the answer was no.
The g= tag within the key could limit the local-part of the i= value found in the signature header, but would not prevent the use of subdomains. This would mean that g=noreply would allow: [email protected] [email protected] [email protected] and even without the g= restriction the key would not allow: majorcompany.com dept.majorcompany.com services.majorcompany.com -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
