On Tue 18/Aug/2020 03:56:12 +0200 Douglas E. Foster wrote:
d) The client develops a list of all of its third-party mailers and tells the third parties to begin applying the client's DKIM signature to their messages. This adds a boatload of complexity to the vendor's application, since he needs a different applied signature for each client. It requires either major changes to the application, a more sophisticated mail server, or a special box simply to sit in front of the mail server to detect and apply the correct signature. None of these seem like generic off-the-shelf solutions. I would not know where to buy that capability if I needed it today.
It doesn't have to add much complexity. My DKIM filter[*] looks up the signing domain in a configured folder where it can find the selector and the private key —actually a symbolic link. The signing domain can be configured to be the domain of the From: field.
The app just has to use the client's domain for both the envelop and the header, which is actually simpler than the pre-DMARC case.
The client must publish the public key supplied by the vendor and include the vendor's SPF stuff in its record. That's not automated, AFAIK, although dynamic DNS and suitable scripts could do.
Best Ale -- [*] http://www.tana.it/sw/zdkimfilter/zdkimfilter.html#signing _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
