On 2/4/2010 2:47 PM, James R. Marcus wrote:
> We are a student discount company.
isn't that an oxymoron?
aren't all students expensive?
(sorry, but it's friday night and it's been a strange week.)
> This third-party is using DKIM to keep our email from being flagged as SPAM.
> They request that we create the following record:
>
>
> [root_at_relay1 opendkim-1.2.2]# dig @4.2.2.2 key1._domainkey.edhance.com txt
This means that you have delegated authorization to sign with your 'base' domain
name to a third party.
That's entirely feasible and legal, but you might want to retain a bit more
control. And having them ride on the back of your /established/ reputation
might be exactly the right choice. But note that it increases the level of
trust you need to have in them, since they can pollute your reputation.
You could, instead, tell them to sign with a sub-domain, such as:
key1._domainkey.3rd-party-esp.edhance.com
rather than
key1._domainkey.edhance.com
That is, you use different d= signing domains for different kinds of
mailstreams, and let them develop independent reputations. This ought to
provide some protection against a problem with one's stream affecting the
processing of another of your streams.
> Does this mean I can setup another DNS record and a separate public/private
> key to send email from servers that I administer?
As Murray responded, yes.
The left-most sub-domain name is the selector and you can have any number of
selectors for the same domain name, each with their own key. In addition to the
use you've noticed, it's what you need to roll over to a new key, even when
there is only one agent doing signing.
d/
-- Dave Crocker Brandenburg InternetWorking bbiw.netReceived on Sat Feb 06 2010 - 06:08:35 PST
This archive was generated by hypermail 2.2.0+W3C-0.50 : Sat Feb 06 2010 - 14:50:01 PST