SPF and domain keys

project722 project722 at gmail.com
Mon Aug 29 13:49:59 UTC 2016 

What about DKIM only? Can it be used instead of, or, as a "replacement" for
SPF? For example mails are signed with DKIM from the SMTP servers, and the
receiving servers are checking both SPF and DKIM. If the receiving server
detected a missing SPF would it allow mail through if DKIM is present and
valid? I suppose a lot of this depends on the SPF policies enforced on the
receiving side.

On Mon, Aug 29, 2016 at 1:53 AM, Dave Warren <davew at hireahit.com> wrote:

> The easiest answer is: Whatever you want. Strictly speaking, alphazulu.com
> can send mail on behalf of foxtrot.com using a alphazulu.com DKIM
> selector, and that's perfectly valid under DKIM. However, it won't have
> DMARC alignment, which is becoming more and more important, so if alignment
> is relevant, you'll need to use a foxtrot.com selector.
>
> tl;dr: Use a foxtrot.com selector unless you simply can't.
>
> As for who generates it, it's irrelevant. The sending server will need the
> private key, your DNS records will contain the public key, but it makes no
> difference if foxtrot.com creates the keys and delivers them to the
> appropriate parties, or if alphazulu.com generates generates a private
> key and provides the alphazulu._domainkey.foxtrot.com record to
> foxtrot.com.
>
> Remember that you can have as many selectors as you want, don't reuse them
> across trust boundaries (in other words, consider that in the future,
> foxtrot.com and alphazulu.com may part ways, when that happens, it's
> ideal if you can remove the selector from your DNS (after a period of time,
> at least a week), such that alphazulu.com cannot continue to sign mail.
> It's also ideal if you don't have to update DKIM records elsewhere in your
> infrastructure.
>
> I hope at least some of this makes sense, but if not, ask. DKIM and DMARC
> are fiddly, and a lot of the DKIM advice out there isn't entirely complete
> now that DMARC is on the scene and DMARC builds on top of DKIM and SPF.
>
>
> On Sun, Aug 28, 2016, at 16:13, project722 wrote:
>
> Lets say my domain is foxtrot.com and we have SPF records for the SMTP
> servers on foxtrot.com. Now lets say I have decided I want to allow
> alphazulu.com to send mail as foxtrot.I know how to add alphazulu.com to
> the SPF but If I wanted to also use DomainKeys or DKIM to authenticate
> alphazulu.com would the keys need to be in foxtrots name or alphazulu?
> For example,
> Would I use:
>
> _domainkey.foxtrot.com.                  IN TXT          "t=y\; o=~\;"
> xxxxxxx._domainkey.foxtrot.com.           IN TXT          "k=rsa\;
> p=xxxxxxxxxxx
>
> or
>
> _domainkey.alphazulu.com.                  IN TXT          "t=y\; o=~\;"
> xxxxxxx._domainkey.alphazulu.com.           IN TXT          "k=rsa\;
> p=xxxxxxxxxxx
>
> Also,
> 1) Who generates the keys? Foxtrot or Alphazulu?
> 2) Would I need both SPF and keys or would keys alone be enough to
> authenticate the other domain? ( I am in a position where I would like to
> use only keys)
> 3) Which one is better to use in terms of provider checking? For example,
> are providers even checking keys as much as they are SPF?
>
> *_______________________________________________*
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160829/cb06f555/attachment.html>

More information about the bind-users mailing list