Messaging Server, MTA Preferred Practices, and Question on DKIM
By Joesciallo-Oracle on Dec 12, 2007
I'm very pleased to see this document. It has a clear structure and is easy to read.
If time permits I'll post a more descriptive review. One of the first things that I noticed is that SPF is mentioned, but DKIM is not. From a marketing perspective it is a good idea to mention SPF, but from a technical point of view it's more important to mention DKIM, and the way it can be used in such a configuration.
To respond to this comment, we brought up the topic of DKIM up with an MTA engineer. In brief, the answer is that how you perform DKIM checks has no bearing on how you implement your AS/AV solution with respect to the MTA. On the other hand, your implementation of AV/AS services in front of the MTA definitely impacts SPF, because of its dependency on IP address information.
Additionally, we have omitted describing DKIM in this paper because it raises no unique issues of its own in regards to deployment design that aren't already there for other reasons.
Note: DKIM is a signature-based mechanism. The signature validation is done based on information provided through a header. As such, the system can perform DKIM checks whether or not you place an AS/AV appliance in front of the MTA. (An AV/AS appliance may alter message content in such a way as to break the signature, but that is highly unlikely).
We understand that DKIM is something a lot of people want to know more about and we'll undoubtedly have additional materials discussing DKIM in the future - especially once the SSP part of DKIM is finished.