Re: [EXTERNAL] Re: SPF and DKIM and DMARC records for a relay, on my !

Tue, 29 Jun 2021 04:19:29 -0700 

I found I can use straight IP addresses - they do not consume any lookups.
My thanks to the folks that shared that information.

Philip, you raise additional questions about sharing DKIM records.
This relay is for servers in a single DNS domain.
Do all the servers relaying through us need DKIM records ?
If so, they can be placed in the domain's DNS.  Will that work ?

Otherwise, do you have any reference links for sharing DKIM records ?

I know this is a Postfix mailing list, but without this, Postfix will not work 
beyond ones local network.

-----Original Message-----
From: Philip Paeps <phi...@trouble.is>
Date: Tuesday, June 29, 2021 at 00:51
To: Daniel White <daniel.e.wh...@nasa.gov>
Cc: Postfix users <postfix-users@postfix.org>
Subject: [EXTERNAL] Re: SPF and DKIM and DMARC records for a relay, on my !

    On 2021-06-29 02:09:10 (+0800), White, Daniel E. (GSFC-770.0)[NICS] 
    wrote:
    > We are trying to understand all of these because we will be required 
    > to use them eventually.
    >
    > I am getting my info at https://www.dmarcanalyzer.com/spf/
    >
    > If we add an IP to our SPF record, is any additional action necessary 
    > for the DMARC and/or DKIM records ?

    Not necessarily.  If the additional server doesn't share a DKIM key with 
    any of the others, you'll need to add its key to the DNS as well.  If 
    it's another server in the same administrative domain and you have a 
    secure way of sharing a DKIM key with an existing server, there's no 
    need.

    > The site says, " When using SPF you need to take note of a limitation 
    > in this technique. The number of DNS lookups which are allowed to take 
    > place is limited to 10."  If we have more than 10 email senders, are 
    > we SOL or is there a way to include them without breaking this rule ?

    If you can list the IP addresses in the SPF record, there won't be 
    additional lookups:

    "v=spf1 ip4:10.0.0.0/28 ~all" = one lookup
    "v=spf1 mx ip4:10.0.0.0/28 ~all" = two lookups
    "v=spf1 mx include:spf.example.net ~all" = at least two lookups

    > Multiple SPF records ?

    Even with a crazy number of senders, you should be able to figure out a 
    way to limit yourself to only a couple of levels of indirection.

    Philip

    -- 
    Philip Paeps
    Senior Reality Engineer
    Alternative Enterprises

Reply via email to