[lug] Tell us how

Sean Reifschneider jafo at tummy.com
Mon Mar 4 13:40:30 MST 2013

On 02/15/2013 01:45 PM, Zan Lynx wrote:
> Huh? There's a DNS record that describes the DKIM information for the
> domain. If that exists then it is a DKIM domain.


Because I can't find anything in RFC5585 that says that you can do anything
but act on a valid signature.  In fact, it specifically says that a broken
signature must be treated as if there were no signature at all.  (3.2.2)
The section on verification (4.4) says that you can verify a signature, but
it says nothing about lack of a signature.

DKIM's goal is to allow filters to pass messages with valid signatures,
rather than rejecting messages without valid signatures.

However, I'd love to be proven wrong.

I like SPF, but it has the issue that if any of your recipients forward
e-mail to an SPF-checking host in a non-SPF compatible way, it will
reject it.  But, with SPF I can easily say that this third party is
authorized to send e-mail from my domain, say our accounting system.
With DKIM, they have to sign the messages, meaning they have to support
DKIM as well, but it will go through forwards fine.


More information about the LUG mailing list