RE: OpenDKIM + dk-milter = Overkill

From: Murray S. Kucherawy <>
Date: Wed, 26 Jan 2011 11:23:19 -0800

> -----Original Message-----
> From: [] On Behalf Of Steve Jenkins
> Sent: Wednesday, January 26, 2011 11:05 AM
> To: Andreas Schulze
> Cc:
> Subject: Re: OpenDKIM + dk-milter = Overkill
> What perplexes me, however, is that messages sent to me by Google
> (alerts, etc.) are signed with both. Why? And even though I can't find
> any documentation to back this up, some of my visitors swear they see
> better deliverability rates to Yahoo! if they sign with DomainKeys vs.
> DKIM. I haven't been able to verify that myself yet, however.

Official word from managers and engineers inside Yahoo! is that both technologies are evaluated on incoming mail and treated as equivalent. There's no benefit, at least at Yahoo!, to signing with both. ("Official" here means they've told me and said so in public at conferences, but there has been no press release or anything about it.)

I will ask why Google is still using both, but I imagine the answer will be roughly the same: "We'll turn it off when everyone else does."

> So I guess my question (for anyone) is this: as long as both
> signatures are added and no errors occur on the sender side, is there
> any technical drawback to signing with both - including the removal of
> the v=DKIM1 and g=* arguments from the DNS record?

There's no technological harm other than some computational overhead and one or two DNS queries when verifying. There's some political harm inasmuch as it gives the false impression that DK still has critical mass.

I can't speak for other implementations but I know that dk-milter is buggy and there's no intent (or justification) to go back and fix it, so in that case we're just prolonging the life of a flawed implementation of a deprecated protocol by helping others set it up.
Received on Wed Jan 26 2011 - 19:23:29 PST

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wed Jan 26 2011 - 21:50:01 PST