dkim-ops
[Top] [All Lists]

Re: [dkim-ops] Shared email hosting DKIM signing best-practices

2010-04-28 09:39:51
Hmm. I was hunting for "best practices" and I found this[1] this morning.
Under section 2.3, it says:

(quoting):

   For those operating messaging services on behalf of a variety of
   customers, an obvious scheme to use has a different sub-domain label
   for each customer.  For example:


                          widgetco.example.net
                          moviestudio.example.net
                          bigbank.example.net

   However it can also be appropriate to label by the class of service
   or class of customer, such as:


                           premier.example.net
                           free.example.net
                           certified.example.net

(end-quote)

The above looks like a mix of both.

ex:

abc(_at_)pqr(_dot_)org d=pqr.org.mailserver.com
lmn(_at_)xyz(_dot_)net d=xyz.net.mailserver.com


I'm using DKIMproxy, so the fine grained control is there.



Ref: [1]: http://tools.ietf.org/html/draft-ietf-dkim-deployment-11

-
Naresh V

On 28 April 2010 19:34, Jason Long <jason(_at_)long(_dot_)name> wrote:
Given your concerns about reputation and potentially abusive domains, I
think you want to sign each domain's mail with a unique d= tag. The main
hurdle, as you suggest, is the greater difficulty of DNS record management.
That could maybe be alleviated by 1) using the same key/pair for each domain
and publish the same public key in each domain's zone file and maybe even 2)
using CNAMEs in each domain's zone file to point back to the public key
published in your own zone.

As for "best practice", I have no idea. But that's my idea.

The other consideration is what options your DKIM signing software gives
you. For instance, if I was using a program that could not pick the d= tag
according to the sender's domain, I might look for other solutions.

Jason
--
DKIMproxy http://dkimproxy.sourceforge.net



On Tue, Apr 27, 2010 at 11:04 AM, Naresh V <nareshov(_at_)gmail(_dot_)com> 
wrote:

Hi,

I have a setup here where there are a bunch of boxes that host email
for several domains. A shared email hosting basically.
I want some insight on the pros and cons of

a. having a single whitelisted domain in the "d" tag of the signatures:
All my outgoing mail (regardless of which domain it's from is signed
with the same "d" tag)
abc(_at_)pqr(_dot_)org d=whitelabel.mailserver.com
lmn(_at_)xyz(_dot_)net d=whitelabel.mailserver.com

(simpler DNS TXT RR management?)

vs.

b. having emails signed with the corresponding "d" tags
abc(_at_)pqr(_dot_)org d=pqr.org
lmn(_at_)xyz(_dot_)net d=xyz.net

(helps if the pqr.org wants to migrate to a different email service
provider?)


Also, in case (a), would designating a separate "s" tag for each
domain make a difference to my domain (whitelabel.mailserver.com) 's
reputation with someone like Return-Path?

I'm concerned about my subnet's reputation. There could be abusive
domains hosted with me and I intend to take suspend it the moment I
get the right feedback via the FBL.



Naresh V
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops


_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops

<Prev in Thread] Current Thread [Next in Thread>