<div dir="ltr">What about DKIM only? Can it be used instead of, or, as a "replacement" for SPF? For example mails are signed with DKIM from the SMTP servers, and the receiving servers are checking both SPF and DKIM. If the receiving server detected a missing SPF would it allow mail through if DKIM is present and valid? I suppose a lot of this depends on the SPF policies enforced on the receiving side. </div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Aug 29, 2016 at 1:53 AM, Dave Warren <span dir="ltr"><<a href="mailto:davew@hireahit.com" target="_blank">davew@hireahit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u>
<div><div>The easiest answer is: Whatever you want. Strictly speaking, <a href="http://alphazulu.com" target="_blank">alphazulu.com</a> can send mail on behalf of <a href="http://foxtrot.com" target="_blank">foxtrot.com</a> using a <a href="http://alphazulu.com" target="_blank">alphazulu.com</a> DKIM selector, and that's perfectly valid under DKIM. However, it won't have DMARC alignment, which is becoming more and more important, so if alignment is relevant, you'll need to use a <a href="http://foxtrot.com" target="_blank">foxtrot.com</a> selector.<br></div>
<div><br></div>
<div>tl;dr: Use a <a href="http://foxtrot.com" target="_blank">foxtrot.com</a> selector unless you simply can't.<br></div>
<div><br></div>
<div>As for who generates it, it's irrelevant. The sending server will need the private key, your DNS records will contain the public key, but it makes no difference if <a href="http://foxtrot.com" target="_blank">foxtrot.com</a> creates the keys and delivers them to the appropriate parties, or if <a href="http://alphazulu.com" target="_blank">alphazulu.com</a> generates generates a private key and provides the alphazulu._<a href="http://domainkey.foxtrot.com" target="_blank">domainkey.foxtrot.<wbr>com</a> record to <a href="http://foxtrot.com" target="_blank">foxtrot.com</a>.<br></div>
<div><br></div>
<div>Remember that you can have as many selectors as you want, don't reuse them across trust boundaries (in other words, consider that in the future, <a href="http://foxtrot.com" target="_blank">foxtrot.com</a> and <a href="http://alphazulu.com" target="_blank">alphazulu.com</a> may part ways, when that happens, it's ideal if you can remove the selector from your DNS (after a period of time, at least a week), such that <a href="http://alphazulu.com" target="_blank">alphazulu.com</a> cannot continue to sign mail. It's also ideal if you don't have to update DKIM records elsewhere in your infrastructure.<br></div>
<div><br></div>
<div>I hope at least some of this makes sense, but if not, ask. DKIM and DMARC are fiddly, and a lot of the DKIM advice out there isn't entirely complete now that DMARC is on the scene and DMARC builds on top of DKIM and SPF.</div><div><div class="h5">
<div><br></div>
<div><br></div>
<div>On Sun, Aug 28, 2016, at 16:13, project722 wrote:<br></div>
</div></div><blockquote type="cite"><div><div class="h5"><div dir="ltr"><div><div><div><div><div><div>Lets say my domain is <a href="http://foxtrot.com" target="_blank">foxtrot.com</a> and we have SPF records for the SMTP servers on <a href="http://foxtrot.com" target="_blank">foxtrot.com</a>. Now lets say I have decided I want to allow <a href="http://alphazulu.com" target="_blank">alphazulu.com</a> to send mail as foxtrot.I know how to add <a href="http://alphazulu.com" target="_blank">alphazulu.com</a> to the SPF but If I wanted to also use DomainKeys or DKIM to authenticate <a href="http://alphazulu.com" target="_blank">alphazulu.com</a> would the keys need to be in foxtrots name or alphazulu? For example, <br></div>
</div>
<div>Would I use:<br></div>
<div><br></div>
<div>_<a href="http://domainkey.foxtrot.com" target="_blank">domainkey.foxtrot.com</a>. IN TXT "t=y\; o=~\;"<br></div>
<div>xxxxxxx._<a href="http://domainkey.foxtrot.com" target="_blank">domainkey.foxtrot.com</a><wbr>. IN TXT "k=rsa\;<br></div>
<div>p=xxxxxxxxxxx<br></div>
<div><br></div>
</div>
<div>or <br></div>
<div><br></div>
<div>_<a href="http://domainkey.alphazulu.com" target="_blank">domainkey.alphazulu.com</a>. IN TXT "t=y\; o=~\;"<br></div>
<div>xxxxxxx._<a href="http://domainkey.alphazulu.com" target="_blank">domainkey.alphazulu.<wbr>com</a>. IN TXT "k=rsa\;<br></div>
<div>p=xxxxxxxxxxx<br></div>
<div><br></div>
</div>
<div>Also,<br></div>
<div>1) Who generates the keys? Foxtrot or Alphazulu?<br></div>
</div>
<div>2) Would I need both SPF and keys or would keys alone be enough to authenticate the other domain? ( I am in a position where I would like to use only keys) <br></div>
</div>
<div>3) Which one is better to use in terms of provider checking? For example, are providers even checking keys as much as they are SPF?<br></div>
<div><div><div><br></div>
</div>
</div>
</div>
</div></div><div><u>______________________________<wbr>_________________</u><br></div>
<div>Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a> to unsubscribe from this list<br></div>
<div> <br></div>
<div>bind-users mailing list<br></div>
<div><a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br></div>
<div><a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a><br></div>
</blockquote><div><br></div>
</div>
<br>______________________________<wbr>_________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a><br></blockquote></div><br></div>