I have a signing set up for the mail server.  The mail server is responsible for authenticating its users.  Hence all mail from my server goes out with a domainKey associated with the server rather than the domain it's being sent from.  I do not relay so all the "clients" are from my server and I manage the DNS or provide them the following DNS entry for their DNS server:

Each domain has an entry like:
_domainkey      IN      TXT     "o=~; t=y"
ezms1._domainkey        IN      TXT     "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkGBDCKbkuo6NgcmMoMMSELU6xkdGsiNJi+wqT+KYnHci4RmrFFq/2GFcjTlpYGR4IhXC+DnWSPoPg/z7UjGvh+i4TfDyusGKWvRQEJowKmopK380QL0JwVBrOUT4FnFUiW/HJLG38gdsAgO3PrrhNXsJjhS3LjnMW7lbvm4xT7QIDAQAB" ; ----- DKIM ezms1 for ez-merchant-hosting.com

Where 'ezms1' is the mail server that can be looked up via bind.

I believe this approach is what you want to do.  It makes the 'from' address irrelevant.  However, you have to know what your clients are doing otherwise they can abuse your key.

Hope this helps....


ram wrote:
On Tue, 2009-07-07 at 13:16 -0700, Mike Markley wrote:
On Tue, Jul 07, 2009 at 09:10:11AM -0700, SM <sm@resistor.net> wrote:
Please explain what you are trying to do.
Based on the posts from dkim-ops, it seems that he's looking to use the
envelope sender as the signing identity. That doesn't seem problematic,
although what receivers will do with such a signature is questionable.

I am also curious, though, about the reason the OP wants to do this...


I am trying to domain keys sign mails relayed by our server for our
customers mails. This is a newsletter and the From: Header is not our
control. I can however control the envelope from and can use dkim
signatures for the mail. 

I was looking at the code of dkim-milter and was able to "patch" it to
use the envfrom to extract user & domain instead of Sender: of From:

What I want to know ... is it a standard practice to do sign using any
domain. What are restrictions. 

There would be a lot of reasons for dkim-signing using envfrom. For eg
this mailing list could sign its mails using signatures of

Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time, 
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize  
details at: http://p.sf.net/sfu/Challenge
dkim-milter-discuss mailing list