Much of what you're asking will be implementation specific. Since you're
considering using MDaemon I feel qualified to answer (at least I can tell
you how MDaemon does it):
It has been suggested that multiple "selectors" can
be utilized in order to accomplish a number of feats.
I'm wondering about how, specifically, to post these
multiple selectors to the single IN TXT DNS record.
You need to post them to MULTIPLE DNS records. Each selector is it's own
record in DNS with DKIM.
This has also raised concerns about exactly how
much data can be posted to this DNS record. Can
DKIM and SPF co-exist in this record?
No. SPF data is located in it's own place in DNS. DKIM data is stored in a
different location. If you have already installed MDaemon default RSA keys
for a hypothetical selector called 'MDaemon' will already have been created.
You can look at \MDaemon\PEM\MDaemon\dns_readme.txt and it will say what to
put and where to put it in your DNS server for DKIM (and DK).
Doesn't this create a bunch of extra over-head for
the DNS server?
The load difference is not significant in my view considering that there are
probably on the order of a million SPF records already in DNS and the world
hasn't collapsed yet. But, the impact of significant numbers of DKIM
records in DNS is an ongoing concern which IETF is trying to document and
consider with care.
With regards to DKIM failures; if they are rejected,
can/will the sender be notified?
In the case of MDaemon, you have an option to have the SMTP server refuse to
accept the message. It does this with a 5XX error code. So, yes, the
sender should be notified if they attempt to send a signed message that
fails to verify. The mechanics of doing that are the routine SMTP mechanism
for handling mail that can't be delivered.
If DKIM indicats tampering, rathar than complete forgery, are
these messages treated differently? Can the sender and receiver
be warned in the case of tampering?
From the DKIM perspective (at least in my version with MDaemon) you can't
distinguish tampering from a forgery. In both cases the signature fails to
verify and is treated the same. In MDaemon you get the option of refusing
to accept the message or add to the spam filter heuristic score. In the
next version I hope to expand on those options somehow.
--
Arvel
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops