OpenDKIM "Best Practices?"

From: Steve Jenkins <>
Date: Fri, 8 Oct 2010 09:43:18 -0700

With a program as powerful, flexible, and configurable as OpenDKIM, there
are load of configurable options for what you CAN do with it. But my past
experience as a technical writer while working my way through grad school,
and my current experience as a business owner / sysadmin / hacker, lead me
to believe that a very large percentage of the user base will probably want
to do pretty much the same thing: probably set up one primary mail server,
with maybe a couple other servers that relay mail through the server, and
(assuming they're probably set up to not be an open relay), they'll probably
want to sign all outgoing mail. My gut also says that most users (at least
currently while mail verification technologies are still being adopted) care
more about properly signing outgoing mail than strictly verifying incoming

So, like I said, there are plenty of things you CAN do with OpenDKIM, but
I'd love to see some discussion (even if we don't quite get to perfect
consensus) on what you SHOULD do with it.

That would help those of us who like to document things and write HowTos
(like me: make suggestions to the "average"
user on how to configure it. Usually, those that need "non-average"
configurations are generally "non-average" users, and have the knowledge to
tinker and figure things out. But there are a lot of people out there who
configure and run mail servers that need help configuring and running them,
and helping them do it properly is (IMHO) good for the Internet mail
ecosystem at large. If we can get more people to properly configure their
mail servers, and adopt as many sound practices as possible (whether DKIM,
SPF, proper Return-Path configs, etc.) then that makes it easier for those
of us who send and want to receive only legitimate mail.

Perhaps this discussion could start with what a "vanilla" /etc/opendkim.conf
file should look like for the "average" user (since this IS the
opendkim-users list :)). I should also disclaim that I'm just getting
started with OpenDKIM, so I'm not an expert, and am looking forward to
learning as much with this discussion as possible.

What would an /etc/opendkim.conf and zone file TXT records look like for a
user that:

1) Wants to sign all outgoing mail for a single domain
2) Doesn't want to reject incoming mail that is not signed
3) Wants to reject incoming mail where the domain owner of the sending
domain says they SHOULD reject unsigned or improperly signed incoming mail

Feel free to toss in any other considerations for the average user that I
may be omitting.


Received on Fri Oct 08 2010 - 17:20:32 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:19:49 PST