SPF and domain keys

Jim Fenton fenton at bluepopcorn.net
Mon Aug 29 22:01:55 UTC 2016

If alphazulu.com is sending email as foxtrot.com it would be best to
sign the message as foxtrot.com as well so that the signature is
"aligned" from a DMARC standpoint (matches the From domain).

The keys are always in the domain specified by the d= value in the
signature. The best approach is for alphazulu.com to generate a keypair,
agree on a selector name (s= value; any name will do) with foxtrot.com,
create the TXT record from the public key, and ask foxtrot.com to
publish it in its DNS. alphazulu.com then signs messages using the
private key it generated and uses the correct selector name and
d=foxtrot.com in the signatures of the email it sends as foxtrot.com.

This is a very common arrangement used by domains that use email sending


On 8/28/16 4:13 PM, project722 wrote:
> Lets say my domain is foxtrot.com <http://foxtrot.com> and we have SPF
> records for the SMTP servers on foxtrot.com <http://foxtrot.com>. Now
> lets say I have decided I want to allow alphazulu.com
> <http://alphazulu.com> to send mail as foxtrot.I know how to add
> alphazulu.com <http://alphazulu.com> to the SPF but If I wanted to
> also use DomainKeys or DKIM to authenticate alphazulu.com
> <http://alphazulu.com> would the keys need to be in foxtrots name or
> alphazulu? For example,
> Would I use:
> _domainkey.foxtrot.com <http://domainkey.foxtrot.com>.                
>  IN TXT          "t=y\; o=~\;"
> xxxxxxx._domainkey.foxtrot.com <http://domainkey.foxtrot.com>.        
>   IN TXT          "k=rsa\;
> p=xxxxxxxxxxx
> or
> _domainkey.alphazulu.com <http://domainkey.alphazulu.com>.            
>      IN TXT          "t=y\; o=~\;"
> xxxxxxx._domainkey.alphazulu.com <http://domainkey.alphazulu.com>.    
>       IN TXT          "k=rsa\;
> p=xxxxxxxxxxx
> Also,
> 1) Who generates the keys? Foxtrot or Alphazulu?
> 2) Would I need both SPF and keys or would keys alone be enough to
> authenticate the other domain? ( I am in a position where I would like
> to use only keys)
> 3) Which one is better to use in terms of provider checking? For
> example, are providers even checking keys as much as they are SPF?
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160829/fd80fc52/attachment.html>

More information about the bind-users mailing list