Re: dkim signing by an email service provider

From: Daniel Black <daniel.subs_at_internode.on.net>
Date: Fri, 30 Nov 2012 11:02:58 +1100

On 30/11/12 10:43, Murray S. Kucherawy wrote:
> On Fri, 30 Nov 2012, Daniel Black wrote:
>> Wondering how other people go about setting up DKIM signing as a
>> service provider. So the service provider is providing an outbound
>> email service for a number of email clients.
>
> So you would say something like: "If the From: says domain X and the
> source IP address is in range Y, then sign it with key Z" for an
> arbitrary set of domains?

Pretty much. would probably do it on FROM: and enforce the From; matches
the SMTP-AUTH (as a MTA setting) rather than IP based but it still falls
into the signing rules.

> Sure, that seems feasible. It seems to me though that the biggest thing
> you have to worry about with a service like that is queueing of stuff on
> behalf of your clisnts when it can't be delivered right away.

not sure what you mean. As an outbound service I'd expect some that
can't be delivered anyway.

>> My initial thoughts are to provide a DKIM signature on the domain of
>> the service provider, and a DKIM signature that is configurable by the
>> client on the client's domain.
>>
>> Anyone have any thoughts how two valid signatures would be handled in
>> the logic on email receivers?
>
> OpenDKIM's philosophy is to develop reputation of the domains of every
> passing signature. The higher reputation among the set is the one that
> makes the final selection of the action to be taken. The thinking there
> is: If you manage to get your mail signed by somebody highly reputable,
> then their reputation is on the line, so we let it go; if their
> reputation suffers as a result, then they should be more selective about
> what they're signing.
>
> I don't know how others might handle multiple signatures. It's not
> frequent enough or important enough yet to have some kind of best
> practices out there.

Sounds safe to sign a with a client domain key if configured/available
and fall back to a provider one if that fails. Keep it as always one
signature.


> I know that many years ago, AOL would disregard signatures that didn't
> match the From: domain. I imagine that's not an uncommon philosophy.
>
>> I looked at a Google Apps hosted domain and it adds a
>> X-Google-DKIM-Signature header field which is the DKIM signature. How
>> odd.
>
> I think that's got something to do with either:
>
> a) copying the DKIM-Signature as it was originally observed, or
>
> b) A DKIM-Signature that's intended for use between Google systems, and
> not for evaluation outside of Google.

Sounds plausible.
Received on Fri Nov 30 2012 - 00:03:22 PST