On Tue 28/Jul/2020 17:22:41 +0200 Laura Atkins wrote:
On 28 Jul 2020, at 16:14, Alessandro Vesely wrote:
On Tue 28/Jul/2020 11:07:19 +0200 Laura Atkins wrote:
On 28 Jul 2020, at 08:36, Alessandro Vesely wrote:
On Tue 28/Jul/2020 08:54:02 +0200 Autumn Tyr-Salvia wrote:
# The resulting message uses execut...@secondbrand.com in the
friendly From: field, but firstbrand.com <http://firstbrand.com> in
the SMTP MAIL FROM domain, so the headers are no longer aligned for
SPF. >>>>
Heck, can't they DKIM sign?
This really misses Autumn’s point. [...]
Autumn has presented a very real world scenario that demonstrates the
overall complexity of mail management operationally. Your solution “sign
with DKIM” has significant barriers to adoption. For instance, assume that
there is code installed on the mailserver that will grab the 5322.from
address and sign with the appropriate DKIM key. How many domains are
involved? How many different mailservers? How long will this solution take
to deploy? Banks do not move quickly and, for the obvious reasons, any
changes to security require multiple reviews and assurances that the
implications are understood.
If the bank delegates a subdomain to each trusted subsidiary, each
subsidiary could manage their keys on their local DNS and email servers.
If the bank can afford "relaxed" DKIM alignment, they can sign with
d=local-branch.bank.example and From: transactions@bank.example. What's
the risk of doing so? >
That does not address the problem Autumn brought up at all.
I understood the problem is the lack of agility. Delegation to smaller domains
using local servers would solve it, wouldn't it? Even with many domains...
What am I missing?
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
