Josh, > I currently sign outgoing email with DKIM via amavisd-new 2.6.2 for over > 1000 domains on a single host and noticed today that it is signing based > on the email header from domain rather than the envelope header sender > domain.
Yes, this is the first choice, if at all possible. The main reason is that by having a signing domain match the author's domain (the From header field) the result is an "Author Domain Signature", i.e. a first-party signature. Without this match, you end up with a third party signature, regardless of any potential match with a Sender header field or with envelope sender. > Is there any way to tell amavisd-new (or is this a Mail::DKIM question?) > to sign based on the envelope sender domain instead? Not really. There is a mechanism to force a particular signing domain and a selector for any particular From address, but this is not exactly what you are asking for. There is also a fallback mechanism, which chooses a signing domain matching a Sender or envelope sender address in absence of any applicable key to the From address, but it can not be forced when there *is* an applicable key. Benny Pedersen wrote: > why allow From: and envelope_sender to be diff in the first place ? > imho its your mta borking auth up for you, and you want dkim to sign > the mess ? Sometimes you have no choice. Consider mailing lists for example. Mark ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
