Baird, Josh wrote:
Hi,
We have a need to implement DKIM for some outbound mail. All of the
mail for this opt-in email campaign is relayed through a separate MTA
(Postfix). This domain also serves non-campaign related mail through a
number of different MTAs in our environment.
We only want to implement/sign DKIM for the opt-in campaign emails going
out the Postfix MTA. So, we generate a public DKIM key, and create a
corresponding public DNS record. We then install a dkim-milter agent on
the Postfix MTA that all of the opt-in campaign mail is relayed through.
This agent signs each email as it traverses the MTA and goes to its
final destination.
My question is, if we do not sign the non campaign email that leaves the
other MTA's in our environment, will this pose a problem for delivery of
these emails? If the DNS record exists, but the MTA is not attaching a
DKIM ID Header to the email as it leaves, will these emails be
potentially denied from ISPs that verify DKIM id's? If Yahoo, or
another ISP that verifies DKIM signatures sees that the message does not
have a DKIM header, but the domain does have DKIM public record in DNS..
will this pose a problem?
Josh,
I can answer mostly theoretically; I'm not with Yahoo or any of the
other big ISPs so I don't know what they actually do.
In theory, what you're doing should be fine. There is no implication if
you sign some of your mail that all of it is signed, unless you publish
an ADSP record saying that you do. However, it's possible (particularly
if your outgoing mail volume is domainated by signed campaign mail) that
someone might infer that you sign everything. I hope they don't do
that, but it's possible.
Many domains put their campaign emails in a separate subdomains, i.e.,
newsletter.example.com. If you're concerned about this, you might
consider that approach.
-Jim
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops