On 8/25/20 7:39 PM, John Levine wrote: > In article <b340be1f-0b0f-2bee-522c-d17b0393a...@bluepopcorn.net> you write: >>> If the list is somel...@lists.foo.org, does the signature have to be >>> d=lists.foo.org? How about d=foo.org? >>> >> This seems like an analogous situation to the DKIM i= flag, where the >> domain MUST be the same as, or a subdomain of, the value of the d= flag. >> So I'd recommend allowing d=foo.org. > Well, OK, how about d=org? This is the opposite of i=, superdomains rather > than subdomains.
I see it as being in the same direction as i=, because we're talking about being able to sign with a superdomain of [whatever identifier] in both cases. But it doesn't really matter. In principle, d=org would work too. The identified domain (list domain, i=, whatever) always has to trust all higher level domains: because they delegate the DNS to the lower level, they could in principle add their own selector records if they wanted to spoof the subdomain. But I haven't ever heard of that being a problem. -Jim _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc