Currently, domains added to Remails must be globally unique, see https://github.com/tweedegolf/remails/blob/c408b635cc17c9c1ede312e2d602e89338289a91/migrations/20240930143937_initial.sql#L106
This might not be optimal: If a domain gets transferred to another entity without being removed in Remails, it cannot be re-registered in Remails. Additionally, because we currently don't check ownership of the domain, one could DoS another entity by registering their domain before they do. Maybe this is not too big of an attack surface, though.
Currently, we can only allow a single organization to register a domain at Remails, as the DKIM selector is fixed to remails. Therefore, you cannot add two or more DKIM keys to your DNS, and thus cannot use multiple Remails organizations. We could lift this limitation by assigning every organization and (partly) randomized DKIM selector.
In particular, we must ensure that a change of the status quo does not allow taking over a domain from another organization without verifying that the new organization is an owner of the domain and the old organization isn't (anymore).
Currently, domains added to Remails must be globally unique, see https://github.com/tweedegolf/remails/blob/c408b635cc17c9c1ede312e2d602e89338289a91/migrations/20240930143937_initial.sql#L106
This might not be optimal: If a domain gets transferred to another entity without being removed in Remails, it cannot be re-registered in Remails. Additionally, because we currently don't check ownership of the domain, one could DoS another entity by registering their domain before they do. Maybe this is not too big of an attack surface, though.
Currently, we can only allow a single organization to register a domain at Remails, as the DKIM selector is fixed to
remails. Therefore, you cannot add two or more DKIM keys to your DNS, and thus cannot use multiple Remails organizations. We could lift this limitation by assigning every organization and (partly) randomized DKIM selector.In particular, we must ensure that a change of the status quo does not allow taking over a domain from another organization without verifying that the new organization is an owner of the domain and the old organization isn't (anymore).