| > As far as I can see, this system doesn’t prove that the email address controls the domain now; it proves that it controlled the domain at the time it was set up. This is a really good point, thanks. For a single service provider who has already done verification, this is no different to: "this system doesn’t prove that the party that setup the TXT record controls the domain now; it proves that it controlled the domain at the time it was set up." Which is the current state of the art. However, let's say a disgruntled ex-employee wanted to claim their ex-employer company domain with a new service provider. The service provider could use the old verification record that their previous employer might have overlooked to delete (likely using a personal email address). Compared to the state-of-the-art, I suppose this would be the same as not terminating this user account for your domain registrar – they could log in and cause havoc. I totally recognise that it would be more obvious for a company to delete the registrar user account than it would be to remove some obscure DNS records but if over time this was recognised as the best way to manage authentication for domains then it would become more obvious. > It’s hard to imagine checking the DNS, of all things, when an employee is off-boarded. There would need to be tools to manage domain verification and these would ideally be offered by domain registrars. I'd also argue that if you're granting employees access to things using their personal email then you're going to hit a bunch of snags. I'll give this one more thought. |
While I agree, I’d argue that the by-far numerical majority of companies don’t have sufficient internal controls to prevent someone from using whatever email they like when creating a dns record for some service. Actually, I even doubt that email gets turned off reliably.
It doesn’t generally matter, since the email address still validates the user’s identity to the same level, but in this case there is a chain of trust that isn’t necessarily trustworthy.
OTOH - a standard for domain verification is a good idea. perhaps it just needs to have an expiry date on it. It would be less convenient, but at least people could start to build tools around it.