Hi Jerry,
At 09:25 10-08-2005, Jerry Martin wrote:
In our situation, we have two e-mail gateway servers--one outbound
(mail1) and one inbound (mail2)--which serve three separate domains
internally. These servers sometimes will assume the role of the
other server for periods of down-time. Our DNS is hosted by a third
party, and changes must be submitted through our corporate office.
First of all, I'm not clear on the timing between the time the DNS
server is updated and the time the message signing begins. If I
first update the DNS records, will enabled receiving servers
immediately begin expecting my messages to be signed? Or, if I begin
by signing messages, will enabled receiving servers fail the
messages if it doesn't find the matching DNS entry?
Change the DNS records first. Wait for the change to propagate and
then start signing. Receiving mail servers running DKIM will fail to
verify the message if they cannot find the matching DNS entry.
If, later, the key is changed, DNS propagation can take several
days. How do I avoid having conflicts with message signatures and DNS records?
If you want to change the key, change the selector and sign your
messages with it. Keep the old selector in DNS for a week before removing it.
Should I use the same key for both mail1 and mail2, or doesn't it matter?
You can do that if you run both servers. The alternative is to use
different selectors to sign messages sent from each server.
What about the keys for the other domains within my
organization...should they each have their own key and should it be
the same key for both e-mail servers?
You can use the same key for all your domains or a different key for
each domain. As you are not in control of DNS, it might be better to
have a different key for each domain.
I can't even be sure that the other domain admins will even be
interested in DKIM. If I start signing messages, will the other
domains be effected?
No, they should not be affected.
Regards,
-sm
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops