Hmm. I was hunting for "best practices" and I found this[1] this morning.
Under section 2.3, it says:
(quoting):
For those operating messaging services on behalf of a variety of
customers, an obvious scheme to use has a different sub-domain label
for each customer. For example:
widgetco.example.net
moviestudio.example.net
bigbank.example.net
However it can also be appropriate to label by the class of service
or class of customer, such as:
premier.example.net
free.example.net
certified.example.net
(end-quote)
The above looks like a mix of both.
ex:
abc(_at_)pqr(_dot_)org d=pqr.org.mailserver.com
lmn(_at_)xyz(_dot_)net d=xyz.net.mailserver.com
I'm using DKIMproxy, so the fine grained control is there.
Ref: [1]: http://tools.ietf.org/html/draft-ietf-dkim-deployment-11
-
Naresh V
On 28 April 2010 19:34, Jason Long <jason(_at_)long(_dot_)name> wrote:
Given your concerns about reputation and potentially abusive domains, I
think you want to sign each domain's mail with a unique d= tag. The main
hurdle, as you suggest, is the greater difficulty of DNS record management.
That could maybe be alleviated by 1) using the same key/pair for each domain
and publish the same public key in each domain's zone file and maybe even 2)
using CNAMEs in each domain's zone file to point back to the public key
published in your own zone.
As for "best practice", I have no idea. But that's my idea.
The other consideration is what options your DKIM signing software gives
you. For instance, if I was using a program that could not pick the d= tag
according to the sender's domain, I might look for other solutions.
Jason
--
DKIMproxy http://dkimproxy.sourceforge.net
On Tue, Apr 27, 2010 at 11:04 AM, Naresh V <nareshov(_at_)gmail(_dot_)com>
wrote:
Hi,
I have a setup here where there are a bunch of boxes that host email
for several domains. A shared email hosting basically.
I want some insight on the pros and cons of
a. having a single whitelisted domain in the "d" tag of the signatures:
All my outgoing mail (regardless of which domain it's from is signed
with the same "d" tag)
abc(_at_)pqr(_dot_)org d=whitelabel.mailserver.com
lmn(_at_)xyz(_dot_)net d=whitelabel.mailserver.com
(simpler DNS TXT RR management?)
vs.
b. having emails signed with the corresponding "d" tags
abc(_at_)pqr(_dot_)org d=pqr.org
lmn(_at_)xyz(_dot_)net d=xyz.net
(helps if the pqr.org wants to migrate to a different email service
provider?)
Also, in case (a), would designating a separate "s" tag for each
domain make a difference to my domain (whitelabel.mailserver.com) 's
reputation with someone like Return-Path?
I'm concerned about my subnet's reputation. There could be abusive
domains hosted with me and I intend to take suspend it the moment I
get the right feedback via the FBL.
Naresh V
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops