byterazor/qpsmtpd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Tweak plugins/dkim doc to clarify the d= issue and add a third email reflector.

Browse Source
This commit is contained in:
Hans Salvisberg 2015-01-29 02:05:28 +01:00
parent de08a11e04
commit c1e3652beb
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
plugins/dkim
View File

@ -79,10 +79,11 @@ And the values in the address have the following meaning:
After confirming that the DKIM public key can be fetched with DNS (dig TXT may2013._domainkey.example.org. @ns1.example.org.), send test messages. You can testing DKIM by sending an email to: After confirming that the DKIM public key can be fetched with DNS (dig TXT may2013._domainkey.example.org. @ns1.example.org.), send test messages. You can testing DKIM by sending an email to:
* a Gmail address and inspect the Authentication-Results header. * a Gmail address and inspect the Authentication-Results header.
* mailtest@unlocktheinbox.com
* check-auth@verifier.port25.com * check-auth@verifier.port25.com
* checkmyauth@auth.returnpath.net * checkmyauth@auth.returnpath.net
The two DKIM relays provide a nice email report with additional debugging information. The three email reflectors provide nice email reports with additional debugging information.
=head2 publish DKIM policy in DNS =head2 publish DKIM policy in DNS
@ -105,11 +106,11 @@ Following the directions above will configure QP to DKIM sign messages from auth
cd ~smtpd/config/dkim cd ~smtpd/config/dkim
ln -s example.org client.com ln -s example.org client.com
QP will follow the symlink target and sign client.com emails with the example.org DKIM key. QP will follow the symlink target and sign client.com emails with the example.org DKIM key and set d=example.org.
This is B<not> necessary for hosts or subdomains. If the DKIM key for host.example.com does not exist, and a key for example.com does exist, the parent DKIM key will be used to sign the message. So long as your DKIM and DMARC policies are set to relaxed alignment, these signed messages for subdomains will pass. This is B<not> necessary for hosts or subdomains. If the DKIM key for host.example.com does not exist, and a key for example.com does exist, the parent DKIM key will be used to sign the message. So long as your DKIM and DMARC policies are set to relaxed alignment, these signed messages for subdomains will pass.
CAUTION: just because you can sign for other domains, doesn't mean you should. Even with a relaxed DKIM policy, if the other domain doesn't have a suitable DMARC record for client.com, they may encounter deliverability problems. It is better to have keys generated and published for each domain. CAUTION: just because you can sign for other domains, doesn't mean you should. Even with a relaxed DKIM policy, signing client.com's email with d=example.org causes an alignment error, and they may encounter deliverability problems. It is better to have keys generated and published for each domain, or at least to make a copy of config/dkim/example.org rather than linking to it.
=head1 SEE ALSO =head1 SEE ALSO