[dkim-ops] DKIM seems complicated

[Jerry Martin]

Greetings:

I'm considering deploying MDaemon's DKIM implementation in place of what seems to be the dying SPF that I've been using for awhile. I had been getting some pretty promising results from the SPF implementation, but I can certainly see where DKIM has some specific advantages.

After having read "DomainKeys: Proving and Protecting Email Sender Identity" at: http://antispam.yahoo.com/domainkeys and "DomainKey Distribution Options" at: http://domainkeys.sourceforge.net/dist.html, I'm still unsure about how exactly to go about the deployment.

In our situation, we have two e-mail gateway servers--one outbound (mail1) and one inbound (mail2)--which serve three separate domains internally. These servers sometimes will assume the role of the other server for periods of down-time. Our DNS is hosted by a third party, and changes must be submitted through our corporate office.

First of all, I'm not clear on the timing between the time the DNS server is updated and the time the message signing begins. If I first update the DNS records, will enabled receiving servers immediately begin expecting my messages to be signed? Or, if I begin by signing messages, will enabled receiving servers fail the messages if it doesn't find the matching DNS entry?

If, later, the key is changed, DNS propagation can take several days. How do I avoid having conflicts with message signatures and DNS records?

What might be the best method for me to go about keeping DNS current?

Should I use the same key for both mail1 and mail2, or doesn't it matter?

What about the keys for the other domains within my organization...should they each have their own key and should it be the same key for both e-mail servers?

I can't even be sure that the other domain admins will even be interested in DKIM. If I start signing messages, will the other domains be effected?

Can anyone point me to some documents that might help make this all more clear?

Thanks,

Jerry