On 12/12/11 11:55 AM, Dave CROCKER wrote: > On 12/12/2011 7:15 AM, Anthony Piccione wrote: >> We have DKIM set up and working on our primary domain and would now like to >> have >> another domain setup for use in sending emails. >> >> For DKIM to also work on this second domain: >> >> 1) Does the second domain need to resolve to the same IP address as the >> first? > DKIM, itself, uses its own domain name field (d=). However the module above > DKIM that does assessment can impose any policies it wishes. There are > certainly cases of lookng at the relationship between that domain name and the > domain name in From: field or the SMTP Mail From command. Policy (if applied) is likely to follow criteria established by ADSP where a signature is valid only when referenced from the Author-Domain. i.e. <author>@<author-domain> must use: <selector(s...)>._domainkey.<author-domain> TXT ...
> In some cases, there is combined analysis with SPF, which does correlate IP > Addresses with the domain, along the lines you are asking about. > Combining SPF based policy with DKIM signature domains will reduce DKIM's delivery integrity. SPF on its own suffers high failure rates where IPv6 transitional protocols increase these failure rates. rDNS will remain problematic for the same reasons. SPF and rDNS (address based validation) can not adapt to current protocol transitional strategies. http://tools.ietf.org/html/rfc6376 >> 2) Do we need a separate txt record created for the second domain? > I don't really understand the question. > > For a given DKIM domain -- complete with a specific selector -- only one TXT > record is used. Agreed. Records referenced below the Author-Domain permits Parent Domain signatures. One at the Author-Domain permits an Author Domain signature. A signature that is neither is considered a third-party signature. The same record can permit both Parent Domain and Author Domain signatures. There is an experimental draft where hashed references at the Author-Domain can authorize either Parent or third-party signatures. This draft provides greater flexibility for generating Author-Domain authorizations which could be combined with EHLO domain validations, for example. See: http://tools.ietf.org/html/draft-kucherawy-dkim-atps-11 -Doug _______________________________________________ dkim-ops mailing list [email protected] http://mipassoc.org/mailman/listinfo/dkim-ops
