It would not have to be an incompatible change, we could just change the way DMARC interprets signatures: If the "i=" term includes a local-part, then the signature is only valid for that one From address (regardless of the domain alignment policy). Otherwise, the signature is valid for any address local-part in any domain or subdomain that matches the DMARC alignment policy. Installations based on RFC 7489 will continue to interpret the signature broadly. This eliminates compatibility concerns, while weakening the effectiveness of creating a new control for domain owners.
My impression is that fully qualified addresses are relatively rare on DKIM scopes used for email, so I really don't expect that a change in interpretation would have much effect on existing mail streams. But that is an assumption rather than a known fact. Perhaps we could work together to collect some data to assess whether the change would be trivial or significant. As to the subdomain technique, Jesse indicates that it is used sometimes, but transitioning can be difficult even when it is used. More importantly, it is not applicable to a small business that uses a mailbox provider account, yet wants to use ConstantContact for some marketing newsletters. That small business does not have the option of obtaining a Gmail subdomain. In short, we have two groups of unhappy users, and we need to acknowledge them both: mailing lists and ESPs. Doug Foster On Sun, Apr 2, 2023 at 10:25 AM Jim Fenton <fen...@bluepopcorn.net> wrote: > On 2 Apr 2023, at 4:19, Douglas Foster wrote: > > > Jesse observed that ESPs sometimes have difficulty getting a delegated > DKIM > > scope, because it delegates authority an entire namespace: > > > > With an assist from the DKIM group, we could specify that a DKIM > signature > > without a "d=" term is valid. The "i=" term would have to be a full > email > > address and the key lookup would be done by parsing the domain portion of > > the "i=" term. Then the DKIM signature becomes valid for DMARC only > when > > the entire "i=" address matches the full RFC5322.From address. > > Regardless of whether that’s a good idea, that would be an enormous change > in the way DKIM works and would not happen given the scale of existing > deployment. Besides, what’s the difference between this and just including > the From address in the DKIM signature? > > I think what you are looking for is a way to delegate a key that is valid > for only a specific address, rather than the whole domain. Why not just > create a subdomain for the ESP to use like marketing.example.com and > publish keys there? > > -Jim >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
