Anthony Piccione wrote:
We have DKIM set up and working on our primary domain and would now
like to have another domain setup for use in sending emails.
For DKIM to also work on this second domain:
2) Do we need a separate txt record created for the second domain?
That depends on how you wish the world to see the mail, 1st party
signature or 3rd party signatures.
o 1st party:
Author Domain (From:) is the same as the signer domain.
From: apiccione(_at_)healthbanks(_dot_)com
DKIM-Signature: ... d=healthbanks.com; ...
o 3rd party
Author Domain (From:) is NOT the same as the signer domain.
From: apiccione(_at_)second-domain(_dot_)com
DKIM-Signature: ... d=healthbanks.com; ...
So if you use the first setup domain to sign mail in your second
setup, then the world will see that mail as 3rd party signatures.
The idea behind DKIM is to get the world to somehow trust the signer
domain (d=) independent of anything else. In the original DKIM, there
was an tie-in to the Author Domain using SSP, but that dependency was
removed in order to get people to use FUTURE TRUST ALGORITHMS only to
trust the signature. Other than a VBR method, that future is not here
yet, so the receiver has to have a table of trusted signer domains
somewhere to look up.
If you sent me mail with d=healthbanks.com I will not know who that
is, so your signature, 1st or 3rd party means nothing to me.
The only thing I can do is see what your INTENT is and that is using
the ADSP records which is associated with the Author Domain:
If your ADSP record for the Author Domain says
DKIM=DISCARDABLE
That means
AUTHOR-DOMAIN MUST EQUAL SIGNER-DOMAIN
So using a single TXT record will "fail" the mail ADSP policy-wise.
The signature may be good, but via POLICY - you made a declaration
that you don't expect anyone else to sign the author domain's mail.
So DISCARDABLE could be problematic for you if you want to use a
single TXT record for the signer. Alternatively, you can use a ADSP
policy:
DKIM=ALL
which means:
All mail is signed
but it is very weak on whether that means AUTHOR only or by ANYONE
else. That is what SSP allowed. ADSP replaced SSP.
Since ADSP was "broken" in this regard - lacked the ability to define
which 3rd party domains are authorized to sign mail, new ideas such as:
TPA - Third Party Authorization
ASL - Allowed (Authorized) Signer List
ATPS - Authorized Third Party Signature - a blend of TPA and ASL
The idea is to define a POLICY record for the Author Domain indicating
which signer domains are authorized.
This Web-based Wizard will assist you in creating ADSP/ATPS/ACL TXT
records:
http://www.winserver.com/public/wcadsp/default.wct
In this case, if you want to use a SINGLE TXT RECORD for the signer,
then create ADSP records for the 2nd domain authorizing the first.
Example, for:
Author Domain : second-domain.com
Signer Domaims: healthbanks.com
Press the Create button and you will get an ADSP record with asl= tag
and atps=y tag, plus the ATPS record for this author domain
authorizing healthbanks.com.
;
; ATPS (v01) Zone Records for author-domain: second-domain.com
; Generated by wcMakeADSP v3.10(c) copyright 2010 Santronics Software,Inc.
;
_adsp._domainkey TXT ("dkim=all; atps=y; asl=healthbanks.com;")
A5QSYA7JZ4LUEHLSIK47NDL7XV367JBC._atps TXT ("v=atps01;
d=healthbanks.com;")
Now of course, if you just want everything to look like a 1st party
signature, then YES, create a signer record for the 2nd domain setup
and use that to match the From: field of the mail coming from there.
Hope this helps
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops