Hector Santos wrote:
For example: santronics.com
Mail Flow Requirements:
1) I might want an exclusive policy for general
business/vendor communications where exclusive
outbound is only from santronics.com network.
2) I want a relaxed policy for non-business traffic
sent by our servers, i.e., a mailing list.
The general topology is:
MUA ---> MSA/MTA ---> MDA
The final designation MDA is a DKIM ready verifier and signer too.
Now at my santronics.com MTA, I have a configuration:
SELECTOR non-business mailinglist.com
If my target address is mailinglist.com , the MTA will use the non-business
selector. Otherwise, the default will use the business selector.
I use a STRONG policy for non-business
I use a EXCLUSIVE policy for business (which is the default)
Something you have to remember here is that the signing policy lookup DOES
NOT have any selector to provide it a path into the DNS. All you know is
in the domain part of the From: address because... there's no signature.
always have to have the _policy record available at a fixed location.
We've thought quite a lot about this and it really looks like the only
way to deal with this is to segregate the traffic into different
I hear the groans) with different policies. The alternative is that you
enumerate all of the policies at one level of the DNS tree which is
given MTU considerations. Thus, you'd want:
_policy._domainkey.biz.santronix.com. IN TXT "o=!;"
_policy._domainkey.santronix.com. IN TXT "o=-;"
or something like that.