Re: "unprotected key" with DNSSEC

From: Claus Assmann <>
Date: Tue, 30 Aug 2016 18:31:01 -0700

On Tue, Aug 30, 2016, Jim Fenton wrote:

> I sent a test message to myself through a forwarder (I had some problems
> with the milter config after a Linux upgrade) and now it's signing and
> verifying, but reporting that the key is unprotected. But my domain is
> DNSSEC signed, so I wonder why I'm seeing this.

> Authentication-Results:; dkim=pass
> reason="1024-bit key; unprotected key"

This is done on the "authorative" server for the domain, right?
Then DNSSEC does not consider the answer "secure".

Check the headers of your mail to the list and you see
the expected result:

Authentication-Results:; dkim=pass
        reason="1024-bit key; secure key"

DNSSEC is funny that way...

You might want to use one of those "auto-responders" for DKIM
Received on Wed Aug 31 2016 - 01:31:13 PST

This archive was generated by hypermail 2.3.0 : Wed Aug 31 2016 - 01:36:00 PST