Given your concerns about reputation and potentially abusive domains, I think you want to sign each domain's mail with a unique d= tag. The main hurdle, as you suggest, is the greater difficulty of DNS record management. That could maybe be alleviated by 1) using the same key/pair for each domain and publish the same public key in each domain's zone file and maybe even 2) using CNAMEs in each domain's zone file to point back to the public key published in your own zone.
As for "best practice", I have no idea. But that's my idea. The other consideration is what options your DKIM signing software gives you. For instance, if I was using a program that could not pick the d= tag according to the sender's domain, I might look for other solutions. Jason -- DKIMproxy http://dkimproxy.sourceforge.net On Tue, Apr 27, 2010 at 11:04 AM, Naresh V <[email protected]> wrote: > Hi, > > I have a setup here where there are a bunch of boxes that host email > for several domains. A shared email hosting basically. > I want some insight on the pros and cons of > > a. having a single whitelisted domain in the "d" tag of the signatures: > All my outgoing mail (regardless of which domain it's from is signed > with the same "d" tag) > [email protected] d=whitelabel.mailserver.com > [email protected] d=whitelabel.mailserver.com > > (simpler DNS TXT RR management?) > > vs. > > b. having emails signed with the corresponding "d" tags > [email protected] d=pqr.org > [email protected] d=xyz.net > > (helps if the pqr.org wants to migrate to a different email service > provider?) > > > Also, in case (a), would designating a separate "s" tag for each > domain make a difference to my domain (whitelabel.mailserver.com) 's > reputation with someone like Return-Path? > > I'm concerned about my subnet's reputation. There could be abusive > domains hosted with me and I intend to take suspend it the moment I > get the right feedback via the FBL. > > > > Naresh V > _______________________________________________ > dkim-ops mailing list > [email protected] > http://mipassoc.org/mailman/listinfo/dkim-ops >
_______________________________________________ dkim-ops mailing list [email protected] http://mipassoc.org/mailman/listinfo/dkim-ops
