Re: DKIM DNS policy records

From: SM <>
Date: Tue, 20 Mar 2012 11:11:50 -0700

Hi Niccolò,
At 09:52 20-03-2012, Niccolò Belli wrote:
>I'm sorry but from wikipedia[1] I read:
> discardable says all mail from the domain is
> signed with an Author Domain Signature;
> furthermore, *if such signature is missing or
> invalid, the receiving server is expected to drop the message*

The ADSP specification is at
Section 4.2.1 mentions that "the domain
encourages the recipient(s) to discard it".

> o - Outbound Signing policy ('-' means that
> this domain signs all email, '~' is the default
> and means that this domain may sign some email with DomainKeys).
> t - testing mode ('y' means that this domain
> is testing DomainKeys so unsigned and
> unverifiable email should not be treated
> differently from verified email. Recipient
> systems may wish to track testing mode results to assist the sender.)
>So I still don't see the difference between
>_domainkey IN TXT "t=n;o=-"
> IN TXT "dkim=discardable"

An ADSP (DNS) record would be at
_adsp._domainkey.domain.example. The
_domainkey.domain.example record was used for DomainKeys and not for ADSP.

>Do I need _domainkey IN TXT "t=n;o=-"? Should I
>change it adding the selector and/or domain?

No, you don't need that DomainKeys record. You
should not add the selector to the ADSP record.

>Do I need it at all?

The message I replied to comes from and went through the mailing list
manager before being reaching me. If the message
was DKIM signed and the mailing list manager
modified the message, the DKIM-Signature would be
invalid. According to the dkim=discardable
policy, you are encouraging me to discard your
message. I gather that isn't really your intent. :-) IN TXT
"dkim=discardable" is ok if you know that it
won't cause messages you want delivered to be thrown away.

Received on Tue Mar 20 2012 - 18:17:46 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:38 PST