dkim-ops
[Top] [All Lists]

Re: [dkim-ops] question on DNS

2009-03-04 19:19:10
We plan to implement DKIM signing on outbound mail.  We want to tell our 
DNS support what changes they need to make. 

Also,  we have generated a 1024-byte private key like this:

primary._domainkey.prudential.com. IN TXT "v=DKIM1; t=y;
p=MIG..............."

So far so good.

How must keys be updated in DNS to sign for other domains we send from?

Short answer: not at all.

Remember that DKIM completely decouples the domain in the signature
from domains that appear elsewhere in the message.  It is both
possible and perfectly reasonable to sign all your outgoing mail with
d=prudential.com regardless of what domain is in the From: line or
other headers, if you want the world to treat all mail from Prudential
as being in the same mail stream.

If you want people to treat your mail as multiple streams, you'll want
to set up signing keys in multiple domains, but again the signing keys
don't have to match the from address.  If the mail is from, say,
karendeane.com, you could sign with d=prudential.com or
d=karendeane.com or d=karendeane.prudential.com if you want the
connection to be clearer to recipients.

Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet 
for Dummies",
Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor
"More Wiener schnitzel, please", said Tom, revealingly.


_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops

<Prev in Thread] Current Thread [Next in Thread>