From c1e3652bebf27807d6532af2b2cbd2eed4552465 Mon Sep 17 00:00:00 2001 From: Hans Salvisberg Date: Thu, 29 Jan 2015 02:05:28 +0100 Subject: [PATCH] Tweak plugins/dkim doc to clarify the d= issue and add a third email reflector. --- plugins/dkim | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/plugins/dkim b/plugins/dkim index 5815873..9566c17 100644 --- a/plugins/dkim +++ b/plugins/dkim @@ -79,10 +79,11 @@ And the values in the address have the following meaning: After confirming that the DKIM public key can be fetched with DNS (dig TXT may2013._domainkey.example.org. @ns1.example.org.), send test messages. You can testing DKIM by sending an email to: * a Gmail address and inspect the Authentication-Results header. + * mailtest@unlocktheinbox.com * check-auth@verifier.port25.com * checkmyauth@auth.returnpath.net -The two DKIM relays provide a nice email report with additional debugging information. +The three email reflectors provide nice email reports with additional debugging information. =head2 publish DKIM policy in DNS @@ -105,11 +106,11 @@ Following the directions above will configure QP to DKIM sign messages from auth cd ~smtpd/config/dkim ln -s example.org client.com -QP will follow the symlink target and sign client.com emails with the example.org DKIM key. +QP will follow the symlink target and sign client.com emails with the example.org DKIM key and set d=example.org. This is B necessary for hosts or subdomains. If the DKIM key for host.example.com does not exist, and a key for example.com does exist, the parent DKIM key will be used to sign the message. So long as your DKIM and DMARC policies are set to relaxed alignment, these signed messages for subdomains will pass. -CAUTION: just because you can sign for other domains, doesn't mean you should. Even with a relaxed DKIM policy, if the other domain doesn't have a suitable DMARC record for client.com, they may encounter deliverability problems. It is better to have keys generated and published for each domain. +CAUTION: just because you can sign for other domains, doesn't mean you should. Even with a relaxed DKIM policy, signing client.com's email with d=example.org causes an alignment error, and they may encounter deliverability problems. It is better to have keys generated and published for each domain, or at least to make a copy of config/dkim/example.org rather than linking to it. =head1 SEE ALSO