On Tue 28/Jul/2020 11:07:19 +0200 Laura Atkins wrote:
On 28 Jul 2020, at 08:36, Alessandro Vesely <ves...@tana.it wrote:
On Tue 28/Jul/2020 08:54:02 +0200 Autumn Tyr-Salvia wrote:
# The resulting message uses execut...@secondbrand.com in the friendly
From: field, but firstbrand.com in the SMTP MAIL FROM domain, so the
headers are no longer aligned for SPF. >>> #
Heck, can't they DKIM sign?
This really misses Autumn’s point. [...]
Autumn has presented a very real world scenario that demonstrates the
overall complexity of mail management operationally. Your solution “sign
with DKIM” has significant barriers to adoption. For instance, assume that
there is code installed on the mailserver that will grab the 5322.from
address and sign with the appropriate DKIM key. How many domains are
involved? How many different mailservers? How long will this solution take
to deploy? Banks do not move quickly and, for the obvious reasons, any
changes to security require multiple reviews and assurances that the
implications are understood.
If the bank delegates a subdomain to each trusted subsidiary, each subsidiary
could manage their keys on their local DNS and email servers. If the bank can
afford "relaxed" DKIM alignment, they can sign with d=local-branch.bank.example
and From: transactions@bank.example. What's the risk of doing so?
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
