What does "--[no]subdomains" option in opendkim-genkey mean?

Question

Based on the documentation --nosubdomains "Disallows subdomain signing by this key". But didn't we need to create separate DKIM records for subdomains regardless?

Please correct me if I am wrong in understanding. An email signature with domain (d field) set to the organization and a selector (field s in signature) will be used for querying the key to validate the digital signature (field b in the signature) by comparing it with the canonicalized body. So the whole process hasn't considered the subdomains in any form till now, either the subdomains can only come into the picture if in the d field instead of the organization domain a subdomain is mentioned or the i field is present in the signature. In the former case, there need to be separate records for the subdomains and organization domain while in the latter case if t=s is used in the TXT record the verifier should compare the value in the signature field i's domain as it is with the value in d field. But in either of case same key can be used for validating.

Answer 1

By default, DKIM is inherited by all the subdomains, as defined in RFC 6376, 3.10:

Signing by Parent Domains

In some circumstances, it is desirable for a domain to apply a signature on behalf of any of its subdomains without the need to maintain separate selectors (key records) in each subdomain. By default, private keys corresponding to key records can be used to sign messages for any subdomain of the domain in which they reside; for example, a key record for the domain example.com can be used to verify messages where the AUID ("i=" tag of the signature) is sub.example.com, or even sub1.sub2.example.com.

In order to limit the capability of such keys when this is not intended, the "s" flag MAY be set in the "t=" tag of the key record, to constrain the validity of the domain of the AUID. If the referenced key record contains the "s" flag as part of the "t=" tag, the domain of the AUID ("i=" flag) MUST be the same as that of the SDID (d=) domain. If this flag is absent, the domain of the AUID MUST be the same as, or a subdomain of, the SDID.

As opendkim-genkey also creates the DNS key record it has this capability of setting the t=s flag:

−S (−−[no]subdomains) Disallows subdomain signing by this key. By default the key record will be generated such that verifiers are told subdomain signing is permitted. Note that for backward compatibility reasons, −S means the same as −−nosubdomains.

This means that:

• Without the t=s it is possible to use d=example.com;s=selector to also authenticate messages from subdomains ([email protected]).
• When the t=s flag is set it is only possible to sign
  • the exact domain (d=example.com;s=selector & [email protected]) or
  • hostname (d=sub.example.com;s=selector & [email protected]>).

Practically, DKIM does not care whether the ID in signature matches the From header. Therefore, it is used together with DMARC, which has relaxed mode (RFC 7489, 3.1.1) where the d=example.com and From: <[email protected]> are considered to be aligned because they are sharing the same Organizational Domain (3.2).

It seems OpenDKIM has not implemented the i=, probably because a milter does not have trustworthy information on the user to authenticate the local-part. It is a bit strange to implement t=s without implementing the i=, indeed.