On Behalf Of Noel Jones, February 17, 2016 4:00 PM >Your unsigned messages won't (shouldn't?) be affected as long as you don't >publish a DMARC policy indicating that all mail must be signed. I suppose you >could publish a >DMARC policy indicating DKIM is optional to make that >explicit, but that shouldn't be necessary. >https://dmarc.org
Outside of my limited (but growing) knowledge of DKIM, how the receiving server go about verifying the messages is derived from the signature itself (RFC5585). So it shouldn't matter if we have no signature. But I have also read that it depends greatly on how the receiving server implements signature verification. It seems plausible (to me) to first check for DKIM records in dns before reviewing the message. Meaning if a dns records exist, then the lack of a signature in the message should tell you something. >On the other hand, now is a good time to enable signing of all your mail. If we implement DKIM at the main office, exchange with a barracuda spam filter in front, I will need to do further reading on multiple DKIM records in DNS, since it's the same domain name. Would I use an add-on application for exchange or use an in-between Linux/postfix setup that simply signs and forwards the message. I only ask due not yet having the time to look into this. My main questions surrounding the overall setup is I will have to originating mail server using DKIM signatures for the same domain name. >Note Domainkeys is a predecessor of DKIM, which is now unused, and using that >name can cause confusion. If someone says you need to enable Domainkeys, >>just translate >that to DKIM in your head. Got it. That's the first thing I studied when I started researching DKIM - I've known about DKIM and the basic concept for a while but I've never really had the need to dig into it until recently. >It appears the mail you sent to the list is already DKIM signed by your mail >service. Good. My company email - not the one I'm working with. >That's not a problem either since the DKIM header always indicates a selector >(or DNS record) to be used for verifying, and a domain can have multiple >selectors. Actually studying this now. The DNS records the marketing company want me to add are: Domainkey_Policy _domainkey.ocompany.net TXT "t=yl; o=~;" _domainkey.othercompany.net 200608._domainkey.ocompany.net TXT "RSA....." Since the "o=~" is present (some emails are signed), I think we will be ok by adding these records before doing the main mail service. Vernon
