DKIM for individual addresses?

[Strator]

I have a mail address ( [email protected] ) that I have been using for quite some time now. Domain.com has DKIM set up.

Now I have set up forwarders so that someone else can use [email protected] - but that someone isn't sending his mail through my servers (instead, he is using gmail). Does that mean I need to delete all DKIM records, or is there a way to continue using DKIM for my individual address only?

Thanks in advance!

 

[zEitEr]

Hello,

According to RFC (http://www.ietf.org/rfc/rfc4871.txt) you may use mulitple selectors for your goals:

3.1.  Selectors

   To support multiple concurrent public keys per signing domain, the
   key namespace is subdivided using "selectors".  For example,
   selectors might indicate the names of office locations (e.g.,
   "sanfrancisco", "coolumbeach", and "reykjavik"), the signing date
   (e.g., "january2005", "february2005", etc.), or even the individual
   user.   Selectors are needed to support some important use cases.  For
   example:

   o  Domains that want to delegate signing capability for a specific
      address for a given duration to a partner, such as an advertising
      provider or other outsourced function.

   o  Domains that want to allow frequent travelers to send messages
      locally without the need to connect with a particular MSA.

   o  "Affinity" domains (e.g., college alumni associations) that
      provide forwarding of incoming mail, but that do not operate a
      mail submission agent for outgoing mail.

For more reading please refer http://www.ietf.org/rfc/rfc4871.txt

 

[Strator]

Hello Alex,

That is great to know. But would you also have any idea how to implement this?

The basic instructions are here: http://www.directadmin.com/features.php?id=1189

So the exim.conf part would have to be changed to look for the actual $sender_address as well. Then of course the dkim_create.sh script would have to be changed to be able to create keys for individual email addresses. But that's not all - somehow the different public keys would also have to be published via DNS, correct?

 

[zEitEr]

Are you sure that emails from [email protected] are sent from another server? If so then my undestanding is that you should add the second _domainkey record in DNS (directadmin server if you host DNS there):

xx._domainkey

for example with a valid value. And sing emails from [email protected] specifying that selector xx.

 

[Strator]

I don't think I can do it that way: [email protected] is sending his mail through gmail so he won't be able to sign his mails.

 

[zEitEr]

I guess it's still possible: https://support.google.com/a/answer/174124?hl=en

 

[Strator]

Fantastic reply. But I think you are misunderstanding me - probably because I am misunderstanding how DKIM works.

I thought that having a DKIM public key published requires everyone on that domain to sign their mails or look like spammers. So I thought that, to make sure that [email protected] doesn't look like a spammer, I need to remove the published DKIM key.

But if I get it right, it makes no difference to [email protected] if I have a published DKIM key or not - if he doesn't sign his mails, his mails are simply treated as unsigned, no harm done. Correct?

 

[zEitEr]

That's OK if you don't sing emails sent via/from GMAIL.

• What does a DKIM signature mean?

The owner of the domain name being used for a DKIM signature is declaring that they are accountable for the message. This means that their reputation is at stake.
Receivers who successfully validate a signature can use information about the signer as part of a program to limit spam, spoofing, phishing, or other undesirable behavior, although the DKIM specification itself does not prescribe any specific actions by the recipient.


http://dkim.org/info/dkim-faq.html#basics



​