[dmarc-discuss] How does *this* mailing list interact with dmarc?

Steve Atkins steve at wordtothewise.com
Fri Jun 22 07:39:34 PDT 2012


On Jun 22, 2012, at 7:03 AM, Brian Corrigan wrote:

> Thanks for the response!
> 
> On Fri, Jun 22, 2012 at 9:48 AM, Murray Kucherawy <msk at fb.com> wrote:
>> The common practice right now is to develop reputation on the "d=" value
>> for DKIM, not the "d="/"s=" combination.
> 
> If big providers started using "d="/"s=" would it fail to interoperate
> with the receiving end for any reason? If the solution is that people
> with unique problems have to implement a unique solution, at least we
> *have* a solution for them (even if it requires some work).

If s= is repurposed for reputation discrimination it wouldn't be available
for things like key rotation or delegation to multiple senders. It would
deter senders of mail from ever changing selector, and hence ever
rotating their keys - which is a bad thing, even if many of them have
never rotated their keys anyway.

DKIM supports multiple reputation streams via the d= value, though
that useful feature has been neutered by the insistence
of some that it be the same string that's used in the email address.

There are some obvious ways[1] to extend DKIM to fix that, but I don't
think there's that much interest in going through the process to amend
the DKIM spec to do so. Modifying the protocols layered on top of
DKIM to remove the codified belief that d= must match the senders
email address[2] might be a lower effort path.

Cheers,
  Steve

[1] New signature flag that's the stream of email?

[2] Modify semantics of protocols layered on top of DKIM so
that d=foo._.bar.com is "OK for" email address baz at bar.com?



More information about the dmarc-discuss mailing list