Eric,
What I would recommend is treating each subdomain to function independent of
the parent, if you have all the pertinent records it will not fall back to the
parent domain.
Using internal IPs for examples, assuming bind syntax.
example.com. IN SOA ns1.example.com. dnsadmins.example.com. (
2015021800 ; Serial
10800
3600
604800
900 )
@ IN NS ns1
@ IN NS ns2
@ IN NS ns3
@ IN NS ns4
ns1 IN A 192.168.0.11
ns2 IN A 192.168.0.12
ns3 IN A 192.168.0.13
ns4 IN A 192.168.0.14
;Servers
@ IN A 192.168.1.10 ;website
www IN CNAME @ ;website
mail IN A 192.168.1.11; mail server
mx IN A 192.168.1.12; mailfilter
;Email Authorization
@ IN TXT " v=spf1 ip4:192.168.1.0/24 -all"
_domainkey IN TXT " v=DKIM1; k=rsa; " "p=MIGfMA0GCS...."
_dmarc IN TXT "v=DMARC1; p=none;rua=mailto:[email protected]; fo=0; adkim=r;
aspf=r;sp=none"
;Permit Dmarc Reports form another domain
task.example.com._report._dmarc IN TXT "v=DMARC1"
$ORIGIN task. example.com.
@ IN A 192.168.2.10 ;website
www IN CNAME @ ;website
mail IN A 192.168.2.11; mail server
mx IN A 192.168.2.12; mailfilter
taskserver IN A 10.1.10.100 ;special app
taskserver IN AAAA fd10::1 ;special app dual stack
;Email Authorization
@ IN TXT " v=spf1 ip4:192.168.2.0/24 ip4:10.1.10.100 ip6:fd10::1
include:example.com -all"
_domainkey IN TXT " v=DKIM1; k=rsa; " "p=MIGADKDh12S...."
taskapp. _domainkey IN TXT " v=DKIM1; k=rsa; " "p=MZASDDh12S...."
_dmarc IN TXT "v=DMARC1; p=none;rua=mailto:[email protected]; fo=0; adkim=r;
aspf=r;sp=none"
Does this help? (or hurt)
Thanks,
Jake
-----Original Message-----
From: dmarc-discuss [mailto:[email protected]] On Behalf Of John
Levine via dmarc-discuss
Sent: Tuesday, February 17, 2015 8:30 PM
To: [email protected]
Subject: Re: [dmarc-discuss] dmarc and delegated zones
>If I understand you correctly, even though zones don't matter to how I
>create the records, the zones could be a useful tool for me delegating
>management of the records. If I have one set of records for example.com
>in one organization and another set of exhibit records in New
>Jersey.example.com managed by my organization then I can manage the
>records independent of the parent organization.
If that's the way your name servers are set up, sure. There's no general
answer about what's easier since it depends on how your DNS provisioning is set
up.
>Are there any collisions between the DMARC records configuritions in
>the parent domain versus a subdomain that I need to worry about?
There shouldn't be. The point of using the _dmarc prefix name is that it
shouldn't conflict with anything else.
>my interpretation of what I've read leads me to believe I'm better off
>keeping all of the header addresses in the same domain and using a
>reply-to to direct responses to a real human instead of trying to make
>the from: address the humans address.
Again, it depends on how your system is set up. Assuming you control the
inbound MTAs for your domain, you should be able to route the incoming replies
to the From: addresses wherever you need to.
R's,
John
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
________________________________
This message contains information that may be confidential and privileged.
Unless you are the addressee (or authorized to receive for the addressee), you
may not use, copy, print or disclose to anyone the message or any information
contained in the message. If you have received this e-mail in error, please
advise the sender by reply and delete the message. Thank you.
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
