On 27 Apr 2021, at 14:41, Jeff Abrahamson wrote:
So you note "This perfectly valid signature is useless for DMARC
unless the
From header address is in p27.eu." And, indeed, nantes-m1.p27.eu
is MX for
p27.eu and for mobilitains.fr. I'd understood that DKIM/DMARC should
match
the MX hosts name, but it appears I've misunderstood.
A DKIM signature can be for any domain (d=?) and selector (s=?) value
for which you have a private key whose public half is published in DNS.
Which domain(s) you choose to sign with (and which headers you sign)
should depend on what you want to assert about a particular message.
DMARC is not the only application of DKIM.
DMARC only pays attention to a DKIM signature if it is "aligned" with
the address in the From header, as possibly modified by the subdomain
policy (sp=?) attribute of the DMARC record for the signature's domain.
It sounds like you're
suggesting I should set up separate DKIM signing for mobilitains.fr.
Yes. You need to do that if you want forwarding-safe DMARC
authentication of mail with mobilitains.fr in the From header.
--
Bill Cole
[email protected] or [email protected]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
