opendkim-genkey and "r=" tag

From: Giovanni Bajo <>
Date: Thu, 25 Aug 2011 18:17:26 +0200


opendkim-genkey (in OpenDKIM 2.4.2) generates DNS records which contain the "r=" tag for reporting; by default, it sets "r=postmaster;".

The "r=" tag is described in RFCs such as, and to the best of my understanding is not part of the official/original DKIM specification (

RFC4871 says in
> If the result returned from the query does not adhere to the
> format defined in this specification, the verifier MUST ignore
> the key record and return PERMFAIL (key syntax error). Verifiers
> are urged to validate the syntax of key records carefully to
> avoid attempted attacks. In particular, the verifier MUST ignore
> keys with a version code ("v=" tag) that they do not implement.

To the best of my understanding, this means that verifiers adhering to RFC4871 MUST return PERMFAIL when presented DNS records as produced by opendkim-genkey by default. In fact, the gmail verifier does this (as can be inferred by the header Authentication-Results added by the GMail smtp system).

I'm pretty new to dkim, but it would look to me that if someone wants to add a specification for a "r=" tag in the DNS, that specification must also increase the "v=" tag version number.

Is this correct or am I missing something?

Giovanni Bajo   ::
Develer S.r.l.  ::
My Blog:
Received on Thu Aug 25 2011 - 16:17:33 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:19 PST