>- move all the broken signature reporting into the signature itself by making >them >extension DKIM-Signature tags, rather than putting them in the key records in >the >DNS; the revised design doesn't require DNS queries for failed signatures that >don't otherwise need them
Let's say I put this line in the header of a bazillion messages in a spam run: DKIM-Signature: v=1; d=blackops.org; s=bogus; b=foo; bh=bar; h=baz; r=murray; I've just indirectly mailbombed you. Oops. The domain has to publish something about its willingness to get reports, not unlike the way that ADSP publishes a record about what to do if there's no signature that matches the From: domains. Perhaps something like this: _report._domainkey.blackops.org TXT "r=sendreportshere" It doesn't belong in the key record since, among other things, that would make it hard to debug failures due to missing or malformed key records. R's, John _______________________________________________ marf mailing list [email protected] https://www.ietf.org/mailman/listinfo/marf
