dkim-ops
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [dkim-ops] DKIM seems complicated

2005-08-10 11:30:12
from [SM] [Permanent Link] 
Hi Jerry,
At 09:25 10-08-2005, Jerry Martin wrote:
In our situation, we have two e-mail gateway servers--one outbound (mail1) and one inbound (mail2)--which serve three separate domains internally. These servers sometimes will assume the role of the other server for periods of down-time. Our DNS is hosted by a third party, and changes must be submitted through our corporate office.
First of all, I'm not clear on the timing between the time the DNS server is updated and the time the message signing begins. If I first update the DNS records, will enabled receiving servers immediately begin expecting my messages to be signed? Or, if I begin by signing messages, will enabled receiving servers fail the messages if it doesn't find the matching DNS entry?
Change the DNS records first. Wait for the change to propagate and then start signing. Receiving mail servers running DKIM will fail to verify the message if they cannot find the matching DNS entry.
If, later, the key is changed, DNS propagation can take several days. How do I avoid having conflicts with message signatures and DNS records?
If you want to change the key, change the selector and sign your messages with it. Keep the old selector in DNS for a week before removing it. 



Should I use the same key for both mail1 and mail2, or doesn't it matter?
You can do that if you run both servers. The alternative is to use different selectors to sign messages sent from each server.
What about the keys for the other domains within my organization...should they each have their own key and should it be the same key for both e-mail servers?
You can use the same key for all your domains or a different key for each domain. As you are not in control of DNS, it might be better to have a different key for each domain.
I can't even be sure that the other domain admins will even be interested in DKIM. If I start signing messages, will the other domains be effected? 

No, they should not be affected.

Regards,
-sm 
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [dkim-ops] DKIM seems complicated, Arvel Hathcock
Next by Date:  [dkim-ops] Re[2]: DKIM seems complicated, Jerry Martin
Previous by Thread:  Re: [dkim-ops] DKIM seems complicated, Arvel Hathcock
Next by Thread:  [dkim-ops] Re[2]: DKIM seems complicated, Jerry Martin
Indexes:  [Date] [Thread] [Top] [All Lists]