| Really interesting point, thanks. > Does this mean this service doesn't work if you use unique email addresses for different services? It wouldn't work "out of the box". The DNS record is stored at a DNS location based on the hash of the email, so you would need to: a. Setup a domain verification record for each email (not that realistic); or b. Use an email address specifically for domain verification (a different one to your unique user email) and consider any non-verification emails to be spam Immediate thoughts are that the spec could encourage service providers to run two checks if the email address include a tag, given the email: example+tag@gmail.com, they first check for a Domain Verification record for example+tag@gmail.com, then tag@gmail.com However, this would seem to introduce an attack vector for users with email providers that don't recognise tagging. I'll give this some more thought, thanks a lot for bringing it up – exactly why I'm here. |