On Sunday, January 29, 2012 07:04:31 PM Murray S. Kucherawy wrote: > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] On Behalf Of > > Alessandro Vesely Sent: Saturday, January 28, 2012 4:10 AM > > To: [email protected] > > Subject: Re: [marf] r= using localpart > > > > On the other hand, dkim-reporting has an rd= tag that makes such > > flexibility possible. What is the use case where rd= is different than > > d=? > > If some intermediary is doing your DKIM work for you, you might want that > intermediary to receive failure reports as well. But, then again, you > could just as easily alias the failure address from your domain to them; > this introduces a hop through your own mail servers, but it actually closes > a security issue in that domain X can't fake a signature from domain Y on > mail to domain Z and request reports go back to X, thus revealing whether > or not Z is doing DKIM verification (if it participates in the reporting). > > So maybe the "rd" for DKIM should just become "r=" which, if present and > containing any value (as with "t=y"), then do the rest of the protocol > using only the signing domain as the possible destination of reports.
I think the key is that the information about where reports need to go needs to be found in DNS, not in the message, so if one takes the signing domain and looks up the record there, it will give you the localpart to go with that domain. The r= flag you propose would (AIUI) be the trigger to do the DNS lookup to see if there's a DNS record asking for reports. Is along the lines of what you intend? Scott K _______________________________________________ marf mailing list [email protected] https://www.ietf.org/mailman/listinfo/marf
