RE: DKIM DNS policy records

From: Murray S. Kucherawy <>
Date: Tue, 20 Mar 2012 18:01:18 +0000

> -----Original Message-----
> From: [] On Behalf Of Niccolò Belli
> Sent: Tuesday, March 20, 2012 7:39 AM
> To:
> Subject: DKIM DNS policy records
> IN TXT "v=DKIM1; g=*; k=rsa; p=<> ; -----
> DKIM for
> _domainkey IN TXT "t=n;o=-"
> IN TXT "dkim=discardable"
> Hi, the first one is my DKIM key record (domain is and
> selector is
> I saw gmail completely ignores my adsp policy record, but yahoo doesn't
> and so I think it's correct.
> But what about my _domainkey IN TXT "t=n;o=-" policy record? Is it
> needed for DKIM or only for domainkey? Should I add my selector in this
> policy record (---> IN TXT "t=n;o=-")?

Selectors in both DKIM and DomainKeys go in the same place.

The record is only used by DomainKeys, which is obsolete. The only thing that checks it is DomainKeys verifiers; DKIM verifiers ignore it. However, all the big mailbox providers that still check DomainKeys also check DKIM and treat them the same, so you don't really need to post this record or do DomainKeys signing at all.

> Currently if I disable DKIM signing and I send an e-mail to gmail it
> doesn't go in the spam folder as it should.

As SM said, that's not necessarily true. ADSP and DKIM both are just information for the receiver. The receiver can do what it wants with your mail even if ADSP and DKIM are failing.

Further, DKIM and ADSP can fail for good reasons on legitimate mail, so a site that puts unsigned or failing mail in a spam folder automatically is probably not acting very wisely.

Received on Tue Mar 20 2012 - 18:01:27 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:38 PST