techblog 

I was set a task to deploy DomainKeys signing for @nominet.org.uk e-mails so that any messages, which appear to be coming from @nominet.org.uk but not signed with our key, would be treated as suspicious. At first glance it appeared to be quite simple:
1. Generate a private/public key pair.
2. Configure our mail servers to sign outgoing e-mails with the private key.
3. Publish the public key in the nominet.org.uk zone.
And that’s done! Not quite.

We have some auxiliary mail servers serving nominet.org.uk subdomains, e.g. lists.nominet.org.uk (which is not delegated), where we cannot deploy DomainKeys signing just yet. After reading rfc4870 I realized that a granular DomainKeys signing policy published in DNS would be just what we wanted. So my thought was to publish a policy like this:

1. any e-mails coming from @nominet.org.uk MUST be signed.
2. any e-mails coming from @subdomain.nominet.org.uk MAY be signed.

So real records in nominet.org.uk zone with lists.nominet.org.uk example would look like this:

_domainkey IN TXT “o=-”
_domainkey.lists IN TXT “o=~”

Here I bumped into a problem. Nowhere in rfc4870 it was specified that MTAs MUST look up a subdomain _domainkey policy so I was not sure that all MTA implementations wouldn’t just lookup _domainkey.nominet.org.uk policy for @lists.nominet.org.uk e-mails and would lookup _domainkey.lists.nominet.org.uk as well. As result I could not be sure that all MTAs would read our DomainKey policy correctly.
And at that point I was told that rfc4870 had been obsoleted by rfc4871 and something important about signing policies had changed.

So, as of now, nominet.org.uk e-mails are not being signed yet and I am back reading RFCs, i.e. rfc4871. I hope I read the right RFC this time.