Hector Santos wrote:
For example: santronics.com
Mail Flow Requirements:
1) I might want an exclusive policy for general
business/vendor communications where exclusive
outbound is only from santronics.com network.
2) I want a relaxed policy for non-business traffic
sent by our servers, i.e., a mailing list.
The general topology is:
MUA ---> MSA/MTA ---> MDA
The final designation MDA is a DKIM ready verifier and signer too.
Now at my santronics.com MTA, I have a configuration:
SELECTOR business
SELECTOR non-business mailinglist.com
If my target address is mailinglist.com , the MTA will use the non-business
selector. Otherwise, the default will use the business selector.
I use a STRONG policy for non-business
I use a EXCLUSIVE policy for business (which is the default)
Something you have to remember here is that the signing policy lookup DOES
NOT have any selector to provide it a path into the DNS. All you know is
what's
in the domain part of the From: address because... there's no signature.
Thus you
always have to have the _policy record available at a fixed location.
We've thought quite a lot about this and it really looks like the only
reasonable
way to deal with this is to segregate the traffic into different
subdomains (yes,
I hear the groans) with different policies. The alternative is that you
need to
enumerate all of the policies at one level of the DNS tree which is
unattractive
given MTU considerations. Thus, you'd want:
_policy._domainkey.biz.santronix.com. IN TXT "o=!;"
_policy._domainkey.santronix.com. IN TXT "o=-;"
or something like that.
Mike