There was a question about it on the maillist back in 2010:
When the sending domain has a CNAME for '_adsp._domainkey.example.com', but this CNAME does not eventually resolve into a DKIM record, this is, in my understanding, a perfectly legit situation, strictly equivalent to "the domain does not have the _adsp DKIM record". However, it is treated by opendkim as temperror:
Authentication-Results: dehost; dkim=fail reason="verification failed; unprotected key" header.d=yahoo.com email@example.com header.b=z9etjPv7; dkim-adsp=temperror reason="'_adsp._domainkey.yahoo.com' reply was unresolved CNAME" (unprotected policy); dkim-atps=neutral
In this particular case the CNAME is of course a wildcard. I believe that such configuration should resolve to definite "record not present" rather then temperror.
Log in to post a comment.