Anyone here that has real-life experience with DKIM granularity?
As admin in a company I receive an increasing number of requests to have DKIM records added to our DNS, to allow all kinds of third-party cloud services/applications to send email on our behalf. I am extremely reluctant to do this as it permits those hosters to send email as anyone in our domains, rather than the single sending address they typically need.
It seems DKIM granularity (g= tag) is the answer to this. The published DNS record can then specify a local-part of an email address, that may sign with this key.
It sounds great, and exactly what is needed to restrict a key to a single email address.
Reasons for my concern:
-
RFC 6376 mentions it is discarded/deprecated as it was not being used. Yet, it still explains how it works and that the meaning of an empty value g= tag has changed since the previous RFC.
Does this mean that a non-empty value g= tag is still valid and ought to work?
I see some sites mention this as deprecated plain and simple, others as still current.
(too bad when the specification is not specific enough to understand the intent) -
It seems that a g= tag in the DNS record, must match the local-part of an i= tag in the signature.
The optional i= tag, if included must match the sending domain. But the local-part of it is not required to match the sending users identity.
Does that mean the the i= in the signature can be different than the sending email address? In that case, can’t it be circumvented?, unless receiving validators optionally check it anyway.
Does anyone use this granularity, can it be relied on?
Or is it deprecated or worthless because it can be circumvented?
Any chance DMARC adds any real restrictions to it?
