Re: DKIM KEY SSP Override Option [was Re: The cost of choices]

[Michael Thomas <mike@xxxxxxxx>]

Hector Santos wrote:

> For example:  santronics.com
>
> Mail Flow Requirements:
>
> 1) I might want an exclusive policy for general
>    business/vendor communications where exclusive
>    outbound is only from santronics.com network.
>
> 2) I want a relaxed policy for non-business traffic
>    sent by our servers, i.e., a mailing list.
>
> The general topology is:
>
>         MUA ---> MSA/MTA ---> MDA
>
> The final designation MDA  is a DKIM ready verifier and signer too.
>
> Now at my santronics.com MTA, I have a configuration:
>
>    SELECTOR  business
>    SELECTOR  non-business mailinglist.com
>
> If my target address is mailinglist.com , the MTA will use the non-business
> selector.  Otherwise, the default will use the business selector.
>
> I use a STRONG policy for non-business
> I use a EXCLUSIVE policy for business (which is the default)
>  

Something you have to remember here is that  the signing policy lookup DOES
NOT have any selector to provide it a path into the DNS. All you know is 
what's
in the domain part of the From: address because... there's no signature. 
Thus you
always have to have the _policy record available at a fixed location.

We've thought quite a lot about this and it really looks like the only 
reasonable
way to deal with this is to segregate the traffic into different 
subdomains (yes,
I hear the groans) with different policies. The alternative is that you 
need to
enumerate all of the policies at one level of the DNS tree which is 
unattractive
given MTU considerations.  Thus, you'd want:

_policy._domainkey.biz.santronix.com. IN TXT "o=!;"

_policy._domainkey.santronix.com. IN TXT "o=-;"

or something like that.

      Mike