On Tue, Nov 09, 2010 at 03:34:09AM -0000, John Levine wrote:
> >Does it make sense in your view to use the "From:" domain to sign
> >*all* mail, and not add that domain to the DNSWL, while reserving
> >a sub-domain (that never matches "From:") for the good senders, and
> >applying a *second* signature for the "transactional" mail, so that
> >the transactional stuff is whitelisted by DNSWL users, and the
> >"From:" header authentication nuts get what they want also?
>
> Sure. It's a deliberate part of DKIM's design that you can apply
> multiple signatures. In my tiny system, I put a d=iecc.com signature
> on all the individual mail, and also a d=<domain> signature on mail
> where the From: line has an address in a domain for which I have a
> signing key.
>
> I use d=lists.iecc.com for mailing list mail, to make that a separate
> stream, not eligible for the SWL but pretty clean anyway.
>
> Using different signatures to separate out interestingly different
> streams, e.g., transactions, lists, and humans, is just how it's
> supposed to work.
Sadly, the opendkim library does not support applying two signatures in
parallel (set up two signing contexts, pass the message content through
once, get two sigatures). So I have to pass the message through the
library twice, to apply two signatures. Not a show-stopper, but annoying.
--
Viktor.
