<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">If alphazulu.com is sending email as
foxtrot.com it would be best to sign the message as foxtrot.com as
well so that the signature is "aligned" from a DMARC standpoint
(matches the From domain).<br>
<br>
The keys are always in the domain specified by the d= value in the
signature. The best approach is for alphazulu.com to generate a
keypair, agree on a selector name (s= value; any name will do)
with foxtrot.com, create the TXT record from the public key, and
ask foxtrot.com to publish it in its DNS. alphazulu.com then signs
messages using the private key it generated and uses the correct
selector name and d=foxtrot.com in the signatures of the email it
sends as foxtrot.com.<br>
<br>
This is a very common arrangement used by domains that use email
sending providers.<br>
<br>
-Jim<br>
<br>
On 8/28/16 4:13 PM, project722 wrote:<br>
</div>
<blockquote
cite="mid:CAPBQMZA-q31=62bUJm-LkfT7SOVFLv7hiYyrGQ2gdV7-HgCL0A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>Lets say my domain is <a moz-do-not-send="true"
href="http://foxtrot.com">foxtrot.com</a> and we
have SPF records for the SMTP servers on <a
moz-do-not-send="true" href="http://foxtrot.com">foxtrot.com</a>.
Now lets say I have decided I want to allow <a
moz-do-not-send="true" href="http://alphazulu.com">alphazulu.com</a>
to send mail as foxtrot.I know how to add <a
moz-do-not-send="true" href="http://alphazulu.com">alphazulu.com</a>
to the SPF but If I wanted to also use DomainKeys or
DKIM to authenticate <a moz-do-not-send="true"
href="http://alphazulu.com">alphazulu.com</a> would
the keys need to be in foxtrots name or alphazulu? For
example, <br>
<br>
</div>
Would I use:<br>
<br>
<div>_<a moz-do-not-send="true"
href="http://domainkey.foxtrot.com">domainkey.foxtrot.com</a>.
IN TXT "t=y\; o=~\;"</div>
<div>xxxxxxx._<a moz-do-not-send="true"
href="http://domainkey.foxtrot.com">domainkey.foxtrot.com</a>.
IN TXT "k=rsa\;<br>
</div>
p=xxxxxxxxxxx<br>
<br>
</div>
or <br>
<br>
<div>_<a moz-do-not-send="true"
href="http://domainkey.alphazulu.com">domainkey.alphazulu.com</a>.
IN TXT "t=y\; o=~\;"</div>
<div>xxxxxxx._<a moz-do-not-send="true"
href="http://domainkey.alphazulu.com">domainkey.alphazulu.com</a>.
IN TXT "k=rsa\;<br>
</div>
p=xxxxxxxxxxx<br>
<br>
</div>
Also,<br>
1) Who generates the keys? Foxtrot or Alphazulu?<br>
</div>
2) Would I need both SPF and keys or would keys alone be
enough to authenticate the other domain? ( I am in a position
where I would like to use only keys) <br>
</div>
3) Which one is better to use in terms of provider checking? For
example, are providers even checking keys as much as they are
SPF?<br>
<div>
<div>
<div><br>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a></pre>
</blockquote>
<p><br>
</p>
</body>
</html>