Without DMARC, DKIM is anti-modification, not anti-spoofing. DKIM is there to say that a message has not been modified from the time that the DKIM header was added until it was authenticated by the recipient. It doesn't need to match the from address (think yahoo, gmail, Hotmail, etc that send outbound mail for thousands of domains), just as hostnames in your SPF record are not limited to the "from" domain.
Once DMARC comes into the picture then the domain owner can enforce the use of only an authorized dkim signing key for the domain, which functionally works as anti-spoofing, but there is no requirement for from domain alignment there either (once again, think yahoo, etc). --adam > -----Original Message----- > From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Doug > Brenner > Sent: Wednesday, February 10, 2016 12:46 PM > To: mailop@mailop.org > Subject: [mailop] DKIM signing domain selection (RFC 5863 section 2.3) > question > > RFC 5863 section 2.3, "Choosing the Signing Domain Name", discusses > using multiple domains to separate different email streams, e.g., marketing > vs. transactional. > > I'm curious about experiences of doing this when the RFC5822.From and/or > RFC5821.From domain(s) are the parent. > > For example, say I send email with header, > > From: m...@example.com > > and DKIM sign with d=bulk.example.com. > > I know the DKIM RFC says the "signing identity specified by the DKIM > signature is not required to match an address in any particular header > field", however, it's really up the recipients in the end. > > Is anyone doing this to separate email streams and create different DKIM > domain reputations? > > What "real-world" impact does it have when the header domain and DKIM > domain don't match? (In particular, when the header domain is the parent > as above.) > > Is it worth the effort to setup this type of environment instead of just > putting everything under the example.com domain? > > I'm sure some sites are dealing with this by changing the From address to > use a matching DKIM domain, but when you're dealing with a university > where everyone wants to use the parent, sub-domains are likely to happen. > > If you can point me to resources or a better discussion list, that's fine too. > Thanks. > -- > Doug Brenner, UNIX System Administrator > Information Technology Services, The University of Iowa > +1 319 467 1625 / doug-bren...@uiowa.edu / doug.bren...@gmail.com > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
