SPF and domain keys

Dave Warren davew at hireahit.com
Mon Aug 29 06:53:52 UTC 2016 

The easiest answer is: Whatever you want. Strictly speaking,
alphazulu.com can send mail on behalf of foxtrot.com using a
alphazulu.com DKIM selector, and that's perfectly valid under DKIM.
However, it won't have DMARC alignment, which is becoming more and more
important, so if alignment is relevant, you'll need to use a
foxtrot.com selector.

tl;dr: Use a foxtrot.com selector unless you simply can't.

As for who generates it, it's irrelevant. The sending server will need
the private key, your DNS records will contain the public key, but it
makes no difference if foxtrot.com creates the keys and delivers them to
the appropriate parties, or if alphazulu.com generates generates a
private key and provides the alphazulu._domainkey.foxtrot.com record to
foxtrot.com.

Remember that you can have as many selectors as you want, don't reuse
them across trust boundaries (in other words, consider that in the
future, foxtrot.com and alphazulu.com may part ways, when that happens,
it's ideal if you can remove the selector from your DNS (after a period
of time, at least a week), such that alphazulu.com cannot continue to
sign mail. It's also ideal if you don't have to update DKIM records
elsewhere in your infrastructure.

I hope at least some of this makes sense, but if not, ask. DKIM and
DMARC are fiddly, and a lot of the DKIM advice out there isn't
entirely complete now that DMARC is on the scene and DMARC builds on
top of DKIM and SPF.


On Sun, Aug 28, 2016, at 16:13, project722 wrote:
> Lets say my domain is foxtrot.com and we have SPF records for the SMTP
> servers on foxtrot.com. Now lets say I have decided I want to allow
> alphazulu.com to send mail as foxtrot.I know how to add alphazulu.com
> to the SPF but If I wanted to also use DomainKeys or DKIM to
> authenticate alphazulu.com would the keys need to be in foxtrots name
> or alphazulu? For example,
> Would I use:
>
> _domainkey.foxtrot.com.                  IN TXT          "t=y\; o=~\;"
> xxxxxxx._domainkey.foxtrot.com.           IN TXT          "k=rsa\;
> p=xxxxxxxxxxx
>
> or
>
> _domainkey.alphazulu.com.                  IN TXT
> "t=y\; o=~\;"
> xxxxxxx._domainkey.alphazulu.com.           IN TXT          "k=rsa\;
> p=xxxxxxxxxxx
>
> Also,
> 1) Who generates the keys? Foxtrot or Alphazulu?
> 2) Would I need both SPF and keys or would keys alone be enough to
>    authenticate the other domain? ( I am in a position where I would
>    like to use only keys)
> 3) Which one is better to use in terms of provider checking? For
>    example, are providers even checking keys as much as they are SPF?
>
> _________________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160828/e9753c8c/attachment-0001.html>

More information about the bind-users mailing list