[dkim-ops] DKIM seems complicated

SM sm at resistor.net
Wed Aug 10 10:59:31 PDT 2005 

Hi Jerry,
At 09:25 10-08-2005, Jerry Martin wrote:
>In our situation, we have two e-mail gateway servers--one outbound 
>(mail1) and one inbound (mail2)--which serve three separate domains 
>internally. These servers sometimes will assume the role of the 
>other server for periods of down-time. Our DNS is hosted by a third 
>party, and changes must be submitted through our corporate office.
>
>First of all, I'm not clear on the timing between the time the DNS 
>server is updated and the time the message signing begins. If I 
>first update the DNS records, will enabled receiving servers 
>immediately begin expecting my messages to be signed? Or, if I begin 
>by signing messages, will enabled receiving servers fail the 
>messages if it doesn't find the matching DNS entry?

Change the DNS records first.  Wait for the change to propagate and 
then start signing.  Receiving mail servers running DKIM will fail to 
verify the message if they cannot find the matching DNS entry.

>If, later, the key is changed, DNS propagation can take several 
>days. How do I avoid having conflicts with message signatures and DNS records?

If you want to change the key, change the selector and sign your 
messages with it.  Keep the old selector in DNS for a week before removing it.


>Should I use the same key for both mail1 and mail2, or doesn't it matter?

You can do that if you run both servers.  The alternative is to use 
different selectors to sign messages sent from each server.

>What about the keys for the other domains within my 
>organization...should they each have their own key and should it be 
>the same key for both e-mail servers?

You can use the same key for all your domains or a different key for 
each domain.  As you are not in control of DNS, it might be better to 
have a different key for each domain.

>I can't even be sure that the other domain admins will even be 
>interested in DKIM. If I start signing messages, will the other 
>domains be effected?

No, they should not be affected.

Regards,
-sm

More information about the dkim-ops mailing list