>> Do NOT look up rDNS in the DWL. If you do, you will get random >> results, since we have no idea what rDNS our clients use. > >Noted. The feature is not SpamHaus specific, and other WLs may support >rDNS domains, but we should perhaps add a note in the docs about SpamHaus, >since your list will likely be one of the most widely used.
FWIW, the reason I didn't do rDNS domains for whitelisting is that I don't think it solves a significant problem. The granularity is still individual servers on IP addresses, so if you can enumerate the rDNS, you should be able to enumerate the IP addresses as well. >Does it make sense in your view to use the "From:" domain to sign >*all* mail, and not add that domain to the DNSWL, while reserving >a sub-domain (that never matches "From:") for the good senders, and >applying a *second* signature for the "transactional" mail, so that >the transactional stuff is whitelisted by DNSWL users, and the >"From:" header authentication nuts get what they want also? Sure. It's a deliberate part of DKIM's design that you can apply multiple signatures. In my tiny system, I put a d=iecc.com signature on all the individual mail, and also a d=<domain> signature on mail where the From: line has an address in a domain for which I have a signing key. I use d=lists.iecc.com for mailing list mail, to make that a separate stream, not eligible for the SWL but pretty clean anyway. Using different signatures to separate out interestingly different streams, e.g., transactions, lists, and humans, is just how it's supposed to work. R's, John
