At 03:41 PM 6/26/2009, SM wrote: >At 12:24 26-06-2009, Nate wrote: > >We run outbound spam filtering servers for many domains. We are > >constantly adding and deleting domains, and the current docs seem to > >imply the only way to sign all these domains is to specify each > >domain in the keylist file. > > > >While this could be done, it would be a severely long file, and our > >purpose is to sign ALL outgoing messages for every domain using > the same key. > >You can use: > >*...@*:example.net:/var/dkim/keys/default > > >The result would be if the sender's IP matches an IP within the > >trusted-hosts file, it signs the message using the default key no > >matter what from the sender domain. We can publish the public key in > >DNS for each domain as well. > >You don't need to publish the public key for each domain as you are >only using example.net as the signing domain.
Thanks for the response. Right now it seems signing an outgoing message from [email protected] being signed by example.net works and is treated successfully by most spam filters. I would imagine though as time goes on, spam filters are going to want to see messages signed by the actual domain rather than an alternate domain. It may not have happened yet, but what would stop a spammer from publishing their own DKIM key on a domain they control, and signing all their forged messages with that key instead. Whenever that happens, I imagine, will be the day that SA, Amavis, and others crack down on who signs the message. Sound accurate or am I mis-understanding some component of DKIM? - Nate ------------------------------------------------------------------------------ _______________________________________________ dkim-milter-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
