On 30 March 2017 at 17:42, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> > > On Mar 30, 2017, at 12:35 PM, Dominic Raferd <domi...@timedicer.co.uk> > wrote: > > > > As I understand it, DKIM requires a separate DNS record for each > subdomain > > No, DKIM has no such requirement. The DKIM signing domain "d=" in the > DKIM signature header is not constrained to match the domain in the > rfc2822 "From:" header. All that DKIM conveys is the identity of the > domain responsible for the content. DKIM authenticates the origin > domain, not the author. Thanks Viktor on reflection that is clearly right. What I should have said is that valid DKIM only proves that the content of the email came from the domain in the From header if this domain matches the one in the DKIM header. BTW I recently discovered a neat Thunderbird Add-On 'DKIM Verifier' which can colour(color) the background to the sender name (i.e. From header) green if the domain matches the DKIM domain (example: P.V. Anthony's email in this thread, mine too I hope), orange if they mismatch (example: Angelo's emails in this thread), no colour if there is no DKIM (example: your emails in this thread), red if the DKIM signature is bad.
