Re: General OpenDKIM setup questions

From: Quanah Gibson-Mount <>
Date: Thu, 03 May 2012 13:52:31 -0700

--On Thursday, May 03, 2012 1:38 PM -0700 Todd Lyons <>

> On Thu, May 3, 2012 at 1:15 PM, Murray S. Kucherawy <>
> wrote:
>>> Ok.  What happens on the verification side if email X is sent out at
>>> 10:01:01, signed by "quanah2011", then the keys are updated at 10:01:02
>>> to "quanah2012", and the mail doesn't get verified on the receiving end
>>> (some remote domain with slow transports say. :P ) until 10:02:05 or
>>> something?
>>> Will verification still succeed?
>> Verification succeeds if the key is still in the DNS.  So when you
>> rotate a new key in, you should allow some overlap before removing the
>> older key from the DNS.
> Personally, I never delete an old key after I regenerate a new one.
> If I manually notice that there is an old key in some customer's
> domain, I'll delete it, but otherwise, it stays there until the
> customer lets their domain expire, closes their account, transfers the
> domain to some other hoster, etc.
> ...Todd

Good to know, thanks. This tool just makes it easy for someone to delete
the old key from LDAP, it does nothing on the DNS side. ;)


Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
Zimbra ::  the leader in open source messaging and collaboration
Received on Thu May 03 2012 - 20:52:47 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:40 PST