What about DKIM only? Can it be used instead of, or, as a "replacement" for SPF? For example mails are signed with DKIM from the SMTP servers, and the receiving servers are checking both SPF and DKIM. If the receiving server detected a missing SPF would it allow mail through if DKIM is present and valid? I suppose a lot of this depends on the SPF policies enforced on the receiving side.
On Mon, Aug 29, 2016 at 1:53 AM, Dave Warren <da...@hireahit.com> wrote: > The easiest answer is: Whatever you want. Strictly speaking, alphazulu.com > can send mail on behalf of foxtrot.com using a alphazulu.com DKIM > selector, and that's perfectly valid under DKIM. However, it won't have > DMARC alignment, which is becoming more and more important, so if alignment > is relevant, you'll need to use a foxtrot.com selector. > > tl;dr: Use a foxtrot.com selector unless you simply can't. > > As for who generates it, it's irrelevant. The sending server will need the > private key, your DNS records will contain the public key, but it makes no > difference if foxtrot.com creates the keys and delivers them to the > appropriate parties, or if alphazulu.com generates generates a private > key and provides the alphazulu._domainkey.foxtrot.com record to > foxtrot.com. > > Remember that you can have as many selectors as you want, don't reuse them > across trust boundaries (in other words, consider that in the future, > foxtrot.com and alphazulu.com may part ways, when that happens, it's > ideal if you can remove the selector from your DNS (after a period of time, > at least a week), such that alphazulu.com cannot continue to sign mail. > It's also ideal if you don't have to update DKIM records elsewhere in your > infrastructure. > > I hope at least some of this makes sense, but if not, ask. DKIM and DMARC > are fiddly, and a lot of the DKIM advice out there isn't entirely complete > now that DMARC is on the scene and DMARC builds on top of DKIM and SPF. > > > On Sun, Aug 28, 2016, at 16:13, project722 wrote: > > Lets say my domain is foxtrot.com and we have SPF records for the SMTP > servers on foxtrot.com. Now lets say I have decided I want to allow > alphazulu.com to send mail as foxtrot.I know how to add alphazulu.com to > the SPF but If I wanted to also use DomainKeys or DKIM to authenticate > alphazulu.com would the keys need to be in foxtrots name or alphazulu? > For example, > Would I use: > > _domainkey.foxtrot.com. IN TXT "t=y\; o=~\;" > xxxxxxx._domainkey.foxtrot.com. IN TXT "k=rsa\; > p=xxxxxxxxxxx > > or > > _domainkey.alphazulu.com. IN TXT "t=y\; o=~\;" > xxxxxxx._domainkey.alphazulu.com. IN TXT "k=rsa\; > p=xxxxxxxxxxx > > Also, > 1) Who generates the keys? Foxtrot or Alphazulu? > 2) Would I need both SPF and keys or would keys alone be enough to > authenticate the other domain? ( I am in a position where I would like to > use only keys) > 3) Which one is better to use in terms of provider checking? For example, > are providers even checking keys as much as they are SPF? > > *_______________________________________________* > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
