Hi, Roland. Thanks for the suggestion. We are considering something like this, but there are two reasons why it's not ideal for us.
First, we occasionally have to change which set of MTAs a particular customer's mail goes to. So adding another set of MX records managed by the customer is a bit of a problem. It's manageable, but not great. We would also have to configure our MTAs to accept mail for this subdomain of the customer's organizational domain. For various reasons I'd prefer not to do that. So for us it looks much better to aim to use DKIM. But if anyone has experience of delivery problems in a setup where DKIM passes in alignment, but SPF is out of alignment, I'd like to hear about it. Thanks, Joe Humphreys -----Original Message----- From: Roland Turner [mailto:[email protected]] Sent: Tuesday, December 18, 2012 11:02 PM To: Joseph Humphreys Cc: [email protected] Subject: Re: [dmarc-discuss] Third-party sender questions If your customer trusts you enough to allow you to sign their organisational domain (i.e. they've published a public key with a selector that you proposed, or given you the private key of an existing pair) then, presumably, they'll trust you enough to publish SPF, MX and - assuming that you want the feedback - DMARC records for an ESP-specific sub-domain: esp.customer.example TXT "include:_spf.esp.example" esp.customer.example MX 0 bounces.esp.example _dmarc.esp.customer.example TXT "v=DMARC1; p=none; rua=mailto:[email protected]"; MAIL FROM: [email protected] DKIM-Signature: v=1; ...; d=customer.example From: [email protected] This can pass both SPF and DKIM, send the bounces for this stream back to you, maintain DMARC alignment for SPF (which may improve authentication coverage) and send DMARC feedback to you for your sub-domain. - Roland On 12/12/2012 02:45 AM, Joseph Humphreys wrote: > Hi, all. > > I'm taking a first look at DMARC, and I have a few questions. My > interest is as a third party sending mail on behalf of another > organization, and I want to handle bounces for that mail. So if the > mail I'm sending looks like this: > > MAIL FROM: <[email protected]> > > DKIM-Signature: v=1; ...; d=example.com; ... > From: [email protected] > Date: Fri, Feb 15 2002 16:54:30 -0800 > To: [email protected] > Subject: here's a sample > > Clearly, the SPF identifier is not in alignment. However, am I correct > in understanding that this would still pass the DMARC check, as long > as the DKIM signature (which is in alignment) validates? > > Assuming that's correct, would this be considered an acceptable > practice? I've looked at the FAQ question on third-party senders, and > I think what I'm describing corresponds to the suggestion A.2 there. > > Has anyone suggested allowing the DMARC record to specify acceptable > third-party domains for the RFC5321.MailFrom? In other words, the > record for example.com could specify that a MailFrom of 3dparty.com > should be considered in alignment for the purpose of SPF checks? > > Regards, > Joe Humphreys > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note > Well terms (http://www.dmarc.org/note_well.html) > -- Roland Turner | Director, Labs TrustSphere Pte Ltd | 3 Phillip Street #13-03, Singapore 048693 Mobile: +65 96700022 | Skype: roland.turner [email protected] | http://www.trustsphere.com/ _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
