On 2 Apr 2023, at 4:19, Douglas Foster wrote: > Jesse observed that ESPs sometimes have difficulty getting a delegated DKIM > scope, because it delegates authority an entire namespace: > > With an assist from the DKIM group, we could specify that a DKIM signature > without a "d=" term is valid. The "i=" term would have to be a full email > address and the key lookup would be done by parsing the domain portion of > the "i=" term. Then the DKIM signature becomes valid for DMARC only when > the entire "i=" address matches the full RFC5322.From address.
Regardless of whether that’s a good idea, that would be an enormous change in the way DKIM works and would not happen given the scale of existing deployment. Besides, what’s the difference between this and just including the From address in the DKIM signature? I think what you are looking for is a way to delegate a key that is valid for only a specific address, rather than the whole domain. Why not just create a subdomain for the ESP to use like marketing.example.com and publish keys there? -Jim _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
