For hosts which only ever send mail with from addresses _at_ their own
hostname, should that hostname be used as the dkim domainname?
Ie, given the zone example.com, an existing dkim record for
baz._domainkey.example.com (which is used for mail sent from
any _at_example.com addresses) and a host named foo.example.com
where foo.example.com is a terminal record in the zone, is it
best to use bar._domainkey.foo.example.com with t=s for mail sent
directly by foo.example.com with _at_foo.example.com from addresses?
Or is it better to leave foo.example.com terminal, and use
bar._domainkey.example.com w/o t=s for the dkim rr?
Part of the question is whether there is value in ensuring that non-apex
hostnames are terminal in the zone. And, if so, whether that outweighs
the value of limiting a given dkim key pair to a specific _at_host.
-JimC
--
James Cloos <cloos_at_jhcloos.com> OpenPGP: 1024D/ED7DAEA6
Received on Wed Sep 11 2013 - 17:22:24 PST