Hey guys. Thanks for the tips. As far as I understand for all your comments, I have to change the PMTA's settings. For example, I'm using dkim-identity and the signature is generated with the same i for all clients, then my current DKIM signature is not aligned. So I have to change this and implement something more complex in order to use the clients' domain to generate an aligned signature. On the other hand, I think, I have to check that clients' dns spf records links to our spf records too. Anyway, If I have more comments or doubts, I'm gonna bother you with my messages :). Thanks for the feedback!
On Wed, Dec 12, 2012 at 6:50 AM, Maarten Oelering <[email protected]>wrote: > Hi Matias, > > You are right, senders that want to implement DMARC need to align "d=" and > the envelope sender domain with the From: header domain. This will be a > challenge for ESPs as the From: header domain is often the domain of their > customer. > > The best approach is to get your customers to setup a subdomain which you > can use as envelope sender domain and DKIM signing identity. This will > allow you to do the bounce processing and the signing on their behalf. You > can find more suggestions related to DKIM for ESPs in: > http://dkimcore.org/deployment/esp.html > > PowerMTA will normally only sign with a domain that matches the From: > header domain, or a parent domain thereof. This will result in an aligned > signature as long as you have a matching "domain-key" configured. If you > use "dkim-identity" or "dkim-identity-fallback" your DKIM signature will > probably be not aligned. > > Maarten Oelering > Postmastery B.V. > > On 12 dec. 2012, at 00:05, Matias Kruk wrote: > > Hi to everyone! > My name is Matias Kruk. And I'm in charge of an email marketing company. > We send newsletters and campaigns on behalf of our clients. > We have implemented DKIM and SPF. And now we want to implement DMARC. > I'm digging into and I found this in DMARC > Faq<http://www.dmarc.org/faq.html#s_3>. > And it says about mailing lists: > > DMARC introduces the concept of* aligned identifiers. It means the domain > in the from header must match the d= in the DKIM signature and the domain > in the mail from envelope.* > You have a few solutions: > > 1. operate as a strict forwarder, where the message is not changed and > the validity of the DKIM signature is preserved > 2. *introduce an "Original Authentication Results" header to indicate > you have performed the authentication and you are validating it* > 3. take ownership of the email, by removing the DKIM signature and > putting your own as well as changing the from header in the email to > contain an email address within your mailing list domain. > > In our case the from header not matches with DKIM's d tag. So I think we > should implement the solution #2 ( "Original Authentication Results"). I > tried asking in PowerMTA forums and support, but it doesn't help me too > much. > Does someone in the list have experience in this? > Thanks in advance > > -- > Inf. Eng. Matias Kruk > Skype: matiaslkruk > > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) > > > -- Inf. Eng. Matias Kruk Skype: matiaslkruk
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
