Re: dkim signing by an email service provider

From: Murray S. Kucherawy <>
Date: Thu, 29 Nov 2012 15:43:01 -0800 (PST)

On Fri, 30 Nov 2012, Daniel Black wrote:
> Wondering how other people go about setting up DKIM signing as a service
> provider. So the service provider is providing an outbound email service
> for a number of email clients.

So you would say something like: "If the From: says domain X and the
source IP address is in range Y, then sign it with key Z" for an arbitrary
set of domains?

Sure, that seems feasible. It seems to me though that the biggest thing
you have to worry about with a service like that is queueing of stuff on
behalf of your clisnts when it can't be delivered right away.

> My initial thoughts are to provide a DKIM signature on the domain of the
> service provider, and a DKIM signature that is configurable by the
> client on the client's domain.
> Anyone have any thoughts how two valid signatures would be handled in
> the logic on email receivers?

OpenDKIM's philosophy is to develop reputation of the domains of every
passing signature. The higher reputation among the set is the one that
makes the final selection of the action to be taken. The thinking there
is: If you manage to get your mail signed by somebody highly reputable,
then their reputation is on the line, so we let it go; if their reputation
suffers as a result, then they should be more selective about what they're

I don't know how others might handle multiple signatures. It's not
frequent enough or important enough yet to have some kind of best
practices out there.

I know that many years ago, AOL would disregard signatures that didn't
match the From: domain. I imagine that's not an uncommon philosophy.

> I looked at a Google Apps hosted domain and it adds a
> X-Google-DKIM-Signature header field which is the DKIM signature. How
> odd.

I think that's got something to do with either:

a) copying the DKIM-Signature as it was originally observed, or

b) A DKIM-Signature that's intended for use between Google systems, and
not for evaluation outside of Google.

Received on Thu Nov 29 2012 - 23:43:20 PST

This archive was generated by hypermail 2.3.0 : Thu Nov 29 2012 - 23:45:02 PST