Hmm. I was hunting for "best practices" and I found this[1] this morning.
Under section 2.3, it says:
(quoting):
For those operating messaging services on behalf of a variety of
customers, an obvious scheme to use has a different sub-domain label
for each customer. For example:
widgetco.example.net
moviestudio.example.net
bigbank.example.net
However it can also be appropriate to label by the class of service
or class of customer, such as:
premier.example.net
free.example.net
certified.example.net
(end-quote)
The above looks like a mix of both.
ex:
[email protected] d=pqr.org.mailserver.com
[email protected] d=xyz.net.mailserver.com
I'm using DKIMproxy, so the fine grained control is there.
Ref: [1]: http://tools.ietf.org/html/draft-ietf-dkim-deployment-11
-
Naresh V
On 28 April 2010 19:34, Jason Long <[email protected]> wrote:
> Given your concerns about reputation and potentially abusive domains, I
> think you want to sign each domain's mail with a unique d= tag. The main
> hurdle, as you suggest, is the greater difficulty of DNS record management.
> That could maybe be alleviated by 1) using the same key/pair for each domain
> and publish the same public key in each domain's zone file and maybe even 2)
> using CNAMEs in each domain's zone file to point back to the public key
> published in your own zone.
>
> As for "best practice", I have no idea. But that's my idea.
>
> The other consideration is what options your DKIM signing software gives
> you. For instance, if I was using a program that could not pick the d= tag
> according to the sender's domain, I might look for other solutions.
>
> Jason
> --
> DKIMproxy http://dkimproxy.sourceforge.net
>
>
>
> On Tue, Apr 27, 2010 at 11:04 AM, Naresh V <[email protected]> wrote:
>>
>> Hi,
>>
>> I have a setup here where there are a bunch of boxes that host email
>> for several domains. A shared email hosting basically.
>> I want some insight on the pros and cons of
>>
>> a. having a single whitelisted domain in the "d" tag of the signatures:
>> All my outgoing mail (regardless of which domain it's from is signed
>> with the same "d" tag)
>> [email protected] d=whitelabel.mailserver.com
>> [email protected] d=whitelabel.mailserver.com
>>
>> (simpler DNS TXT RR management?)
>>
>> vs.
>>
>> b. having emails signed with the corresponding "d" tags
>> [email protected] d=pqr.org
>> [email protected] d=xyz.net
>>
>> (helps if the pqr.org wants to migrate to a different email service
>> provider?)
>>
>>
>> Also, in case (a), would designating a separate "s" tag for each
>> domain make a difference to my domain (whitelabel.mailserver.com) 's
>> reputation with someone like Return-Path?
>>
>> I'm concerned about my subnet's reputation. There could be abusive
>> domains hosted with me and I intend to take suspend it the moment I
>> get the right feedback via the FBL.
>>
>>
>>
>> Naresh V
>> _______________________________________________
>> dkim-ops mailing list
>> [email protected]
>> http://mipassoc.org/mailman/listinfo/dkim-ops
>
>
_______________________________________________
dkim-ops mailing list
[email protected]
http://mipassoc.org/mailman/listinfo/dkim-ops
