dkim-ops
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [dkim-ops] New Domain

2011-12-12 17:18:36
from [Douglas Otis] [Permanent Link] 
On 12/12/11 11:55 AM, Dave CROCKER wrote:

On 12/12/2011 7:15 AM, Anthony Piccione wrote:

We have DKIM set up and working on our primary domain and would now like to 
have
another domain setup for use in sending emails.

For DKIM to also work on this second domain:

1) Does the second domain need to resolve to the same IP address as the 
first?

DKIM, itself, uses its own domain name field (d=).  However the module above
DKIM that does assessment can impose any policies it wishes.  There are
certainly cases of lookng at the relationship between that domain name and the
domain name in From: field or the SMTP Mail From command.

Policy (if applied) is likely to follow criteria established by ADSP 
where a signature is valid only when referenced from the Author-Domain.
i.e. <author>@<author-domain> must use:
<selector(s...)>._domainkey.<author-domain> TXT  ...


In some cases, there is combined analysis with SPF, which does correlate IP
Addresses with the domain, along the lines you are asking about.



Combining SPF based policy with DKIM signature domains will reduce 
DKIM's delivery integrity.  SPF on its own suffers high failure rates 
where IPv6 transitional protocols increase these failure rates.  rDNS 
will remain problematic for the same reasons.  SPF and rDNS (address 
based validation) can not adapt to current protocol transitional strategies.

http://tools.ietf.org/html/rfc6376

2) Do we need a separate txt record created for the second domain?

I don't really understand the question.

For a given DKIM domain -- complete with a specific selector -- only one TXT
record is used.

Agreed.  Records referenced below the Author-Domain permits Parent 
Domain signatures.  One at the Author-Domain permits an Author Domain 
signature.  A signature that is neither is considered a third-party 
signature.  The same record can permit both Parent Domain and Author 
Domain signatures.  There is an experimental draft where hashed 
references at the Author-Domain can authorize either Parent or 
third-party signatures.  This draft provides greater flexibility for 
generating Author-Domain authorizations which could be combined with 
EHLO domain validations, for example.

See:
http://tools.ietf.org/html/draft-kucherawy-dkim-atps-11

-Doug
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [dkim-ops] New Domain, Dave CROCKER
Next by Date:  Re: [dkim-ops] New Domain, SM
Previous by Thread:  Re: [dkim-ops] New Domain, Dave CROCKER
Next by Thread:  Re: [dkim-ops] New Domain, SM
Indexes:  [Date] [Thread] [Top] [All Lists]