From: Murray S. Kucherawy <>
Date: Wed, 11 Nov 2009 08:50:14 -0800

> -----Original Message-----
> From: [mailto:opendkim-users-
>] On Behalf Of Roman Gelfand
> Sent: Wednesday, November 11, 2009 6:40 AM
> To:
> Subject: DKIM
> This is more of a dkim question itself. So, pardon me for my
> ignorance. Is a public key used to verify domain, stored on dns?

Yes, that's how DKIM works.

> If
> so, how do you store it there?

In a TXT record. See RFC4871 for a description of the format. You can also use the script "" which comes in the source tarball to generate a private key and its matching DNS TXT record.

> Since we are using openssl with
> publicly available code, wouldn't this be an security hole?

It's no more insecure than posting your public key for others to verify mail you've sent when you're doing PGP or S/MIME signing.

> In opendkim, what happens to emails that don't have dkim key compared
> to emails that do?

Most of the time, nothing at all. However, you could configure your filter to reject unsigned mail if you want to be very strict.

Also, if the sending domain (i.e. the domain in the From: header field) posts a policy that all of its mail is DKIM-signed, you can configure your server to reject unsigned mail from that source.
Received on Wed Nov 11 2009 - 16:50:23 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:16:46 PST