Hi Matias, You are right, senders that want to implement DMARC need to align "d=" and the envelope sender domain with the From: header domain. This will be a challenge for ESPs as the From: header domain is often the domain of their customer.
The best approach is to get your customers to setup a subdomain which you can use as envelope sender domain and DKIM signing identity. This will allow you to do the bounce processing and the signing on their behalf. You can find more suggestions related to DKIM for ESPs in: http://dkimcore.org/deployment/esp.html PowerMTA will normally only sign with a domain that matches the From: header domain, or a parent domain thereof. This will result in an aligned signature as long as you have a matching "domain-key" configured. If you use "dkim-identity" or "dkim-identity-fallback" your DKIM signature will probably be not aligned. Maarten Oelering Postmastery B.V. On 12 dec. 2012, at 00:05, Matias Kruk wrote: > Hi to everyone! > My name is Matias Kruk. And I'm in charge of an email marketing company. We > send newsletters and campaigns on behalf of our clients. > We have implemented DKIM and SPF. And now we want to implement DMARC. > I'm digging into and I found this in DMARC Faq. And it says about mailing > lists: > > DMARC introduces the concept of aligned identifiers. It means the domain in > the from header must match the d= in the DKIM signature and the domain in the > mail from envelope. > You have a few solutions: > operate as a strict forwarder, where the message is not changed and the > validity of the DKIM signature is preserved > introduce an "Original Authentication Results" header to indicate you have > performed the authentication and you are validating it > take ownership of the email, by removing the DKIM signature and putting your > own as well as changing the from header in the email to contain an email > address within your mailing list domain. > In our case the from header not matches with DKIM's d tag. So I think we > should implement the solution #2 ( "Original Authentication Results"). I > tried asking in PowerMTA forums and support, but it doesn't help me too much. > Does someone in the list have experience in this? > Thanks in advance > > -- > Inf. Eng. Matias Kruk > Skype: matiaslkruk > > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well terms > (http://www.dmarc.org/note_well.html)
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
