dkim-ops
[Top] [All Lists]

Re: [dkim-ops] Shared email hosting DKIM signing best-practices

2010-04-28 09:44:55
Given your concerns about reputation and potentially abusive domains, I
think you want to sign each domain's mail with a unique d= tag. The main
hurdle, as you suggest, is the greater difficulty of DNS record management.
That could maybe be alleviated by 1) using the same key/pair for each domain
and publish the same public key in each domain's zone file and maybe even 2)
using CNAMEs in each domain's zone file to point back to the public key
published in your own zone.

As for "best practice", I have no idea. But that's my idea.

The other consideration is what options your DKIM signing software gives
you. For instance, if I was using a program that could not pick the d= tag
according to the sender's domain, I might look for other solutions.

Jason
--
DKIMproxy http://dkimproxy.sourceforge.net



On Tue, Apr 27, 2010 at 11:04 AM, Naresh V <nareshov(_at_)gmail(_dot_)com> 
wrote:

Hi,

I have a setup here where there are a bunch of boxes that host email
for several domains. A shared email hosting basically.
I want some insight on the pros and cons of

a. having a single whitelisted domain in the "d" tag of the signatures:
All my outgoing mail (regardless of which domain it's from is signed
with the same "d" tag)
abc(_at_)pqr(_dot_)org d=whitelabel.mailserver.com
lmn(_at_)xyz(_dot_)net d=whitelabel.mailserver.com

(simpler DNS TXT RR management?)

vs.

b. having emails signed with the corresponding "d" tags
abc(_at_)pqr(_dot_)org d=pqr.org
lmn(_at_)xyz(_dot_)net d=xyz.net

(helps if the pqr.org wants to migrate to a different email service
provider?)


Also, in case (a), would designating a separate "s" tag for each
domain make a difference to my domain (whitelabel.mailserver.com) 's
reputation with someone like Return-Path?

I'm concerned about my subnet's reputation. There could be abusive
domains hosted with me and I intend to take suspend it the moment I
get the right feedback via the FBL.



Naresh V
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops

_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops
<Prev in Thread] Current Thread [Next in Thread>