Menu
▾
▴
Re: [dkim-milter-discuss] Message does not pass DomainKeys requirements
|
From: Hirohisa Y. <um...@gm...> - 2008-05-12 06:28:30
|
Hi, On Mon, May 12, 2008 at 2:47 PM, Zbigniew Szalbot <z.s...@lc...> wrote: > I beg your patience with me. Can you help me generate an appropriate DNS > entry for DKIM? > 1/ I do NOT use domainkeys, nor do I plan to do so. > 2/ I ONLY use DKIM and all mail sent from lists.lc-words.com is signed with > DKIM signature. > If I drop the "o=-" entry, that will just mean that some of the > lists.lc-words.com mail may be signed with domainkeys, right? Yes. There is no tag for stating a policy that the site does not sign any messages. > If so, what should the correct DNS entry for DKIM look like? > I did look at http://www.elandsys.com/resources/sendmail/dkim.html > where they suggest > mail._domainkey.example.com. IN TXT "k=rsa; > entry, so in my case should it be > _domainkey.lists.lc-words.com IN TXT "krsa; > ? TXT RR for pubkey is generated with dkim-genkey(8), and I seems that you've already got one for ``lcwords._domainkey.lists.lc-words.com''. > I currently have: > _domainkey.lists.lc-words.com. 2640 IN TXT "o=-\;" DKIM Signatures rfc (rfc4871) does not use _domainkey TXT RR as policy statement. It's only for DomainKeys. ``_asp._domainkey.'' is for that purpose (as in draft-ietf-dkim-ssp). e.g. _asp._domainkey.example.com. IN TXT "dkim=all" means messages from example.com is always signed. Regards, -- Hirohisa Yamaguchi um...@gm... |