|
|
|
|
|
|
by jeroenhd
1138 days ago
|
|
|
Does this mean this service doesn't work if you use unique email addresses for different services? By that I mean example+tag@gmail.com, catch-all email addresses, Apple's and Mozilla's email anonymization services, and so on. |
|
|
> Does this mean this service doesn't work if you use unique email addresses for different services?
It wouldn't work "out of the box".
The DNS record is stored at a DNS location based on the hash of the email, so you would need to:
a. Setup a domain verification record for each email (not that realistic); or
b. Use an email address specifically for domain verification (a different one to your unique user email) and consider any non-verification emails to be spam
Immediate thoughts are that the spec could encourage service providers to run two checks if the email address include a tag, given the email:
example+tag@gmail.com, they first check for a Domain Verification record for example+tag@gmail.com, then tag@gmail.com
However, this would seem to introduce an attack vector for users with email providers that don't recognise tagging.
I'll give this some more thought, thanks a lot for bringing it up – exactly why I'm here.