Hi all,
this is not a Postfix specific question, but I hope I'll find some
experts on that topic here ;)
A long time ago I've implemented SPF/DKIM/DMARC signing/checking for the
two domains served by my Postfix instance. As everything seemed to work
fine, I recently moved from "permissive" to "strict" policies.
I know that this breaks interoperability with most mailing list agents,
and thus I've set up a subdomain with its own SPF/DKIM/DMARC settings
which I want to use especially for mailing lists (like
postfix-users@postfix.org). In fact, this email is a first test of my
new setup ;)
These are my new DNS settings for one of the domains and its subdomain:
$ORIGIN microscopium.de.
; SMTP SPF
IN TXT "v=spf1 +ip4:88.217.187.146
+ip6:2001:470:6d:976::1 -all"
IN SPF "v=spf1 +ip4:88.217.187.146
+ip6:2001:470:6d:976::1 -all"
; SMTP DMARC
_dmarc IN TXT "v=DMARC1; p=reject; sp=none;
rua=mailto:postmas...@microscopium.de; ruf=mailto:postmas...@microscopium.de;";
; SMTP DKIM
_domainkey IN TXT "o=-; r=postmas...@microscopium.de"
mail._domainkey IN TXT "v=DKIM1; k=rsa;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6mbWGI0yAXY0IoxIvV1L5GXdGAErO7W9ZIqa+cFgTJSNz3sYb5dYFVlI32igQGbDmegFrpUOhApwhe59K+WPONoxggQ/kaJWQ3vkVET/z9zV4PWRwYqOWnJZzoWsS8H6N3775TYo47QI/Ie3X/FGX0D99wymhCwMDhU+G8st9Q+8PIgGQp38NuAx+"
"hmuOKVBNAX6sVv7Ip3Lw6QNgRfKCFYbNFro982myjqnNEVQFim5+XCv7WRDuYOKnQM1ZXsHpjew96XmdeDMK6mhHz2R0K4RGnR1+GFS3DoXiodfMvp4CKTAL96Pi7TtyPSBYnth2I989Zbs6CWNxNiGnFqVKwIDAQAB"
_adsp._domainkey IN TXT "dkim=discardable"
$ORIGIN lists.microscopium.de.
; SMTP SPF
IN TXT "v=spf1 +all"
IN SPF "v=spf1 +all"
; SMTP DMARC
_dmarc IN TXT "v=DMARC1; p=reject;
rua=mailto:postmas...@microscopium.de; ruf=mailto:postmas...@microscopium.de;";
; SMTP DKIM
_domainkey IN TXT "o=-; r=postmas...@microscopium.de"
mail._domainkey IN TXT "v=DKIM1; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3Sw5pD8imtRZ3HzKPMbT99BPW2fCqWCTMAEwl5UMYAefgpDS8xzI0f8BX3eY2mgHNid9B18fujUtIPhykuEwMq2XVcoC+5uljr2jmLuaQwIPth2A/A4mtSMABvZmR/2wS96iY6oshHRaAciXtsS0G3vw3BU+8ga5OWg30C6C6H/8QbDjfczQZMaN+qVTYh3xPldTKQaFOIMPS7"
"/eIBrQGXUXw1uV5DcAZX3OKqrBbD54vc9lBdGdcg/qAANZQWWn+EjZq7mQ6Szcq0jHKdAId4clcE6QRUfZOJHlbIQteo0ngOJ5gCrsyPO+GxAgQhql91xJMg3S9W9KIen/GYWB6wIDAQAB"
_adsp._domainkey IN TXT "dkim=discardable"
In my understanding, for mail sent from the subdomain to a mailing list,
any final recipients DKIM check should result in "pass" (as the original
DKIM signature is still present), and SPF check should also result in
"pass" as the SPF "v=spf1 +all" statement allows any ip (which now is
the ip of the mailing list MTA, not mine) as sender for the subdomain.
But I am a bit uncertain about how the SPF/DKIM/DMARC settings of the
parent domain impact the subdomain.
Is that a good/working/safe setup, or am I doing anything stupid/nasty
here?
Thanks for help,
Robert
--
Robert Senger
