hachyderm.io is one of the many independent Mastodon servers you can use to participate in the fediverse.
Hachyderm is a safe space, LGBTQIA+ and BLM, primarily comprised of tech industry professionals world wide. Note that many non-user account types have restrictions - please see our About page.

Administered by:

Server stats:

10K
active users

Do you run a mail server, or own a domain example.com that you send mail from?

PSA about the Coming DKIMpocalypse on Thursday when Google and Yahoo tighten mail rules:

support.google.com/a/answer/81
senders.yahooinc.com/best-prac

1/3. The mail server must sign outgoing mail with DKIM. You generate a key pair called “foo” (e.g., with opendkim-genkey), configure your mail server to use it, and publish the public key in the DNS like:

foo._domainkey.example.com. IN TXT (
"v=DKIM1; k=rsa; "
"p=..."
)

Cassandrich

@riastradh Why just publish old ones retroactively when you could X-DKIM-Private-Key: in each mail? 😈

@dalias Caveat: Gotta remember to make the signature the cover X-DKIM-Private-Key header field! Otherwise the leaker could just strip it off.

(Also, I suspect that if a lot of senders started doing this, Google might not find the idea as amusing as you and I do!)

@riastradh @dalias Looks like goodbye most of the vger.kernel.org and freedesktop.org mailing lists. GMail was already bouncing those most of the time anyway.

@chris @riastradh @dalias I added rua to my DMARC TXT record because I'm a fool and I keep getting SPF failures logged because...vger will forward emails from me that aren't sent from the server in the SPF records. I hope someone fixes that soon.

@chris @riastradh Or goodbye gmail, which has always been garbage for participating in lists (no threading).

@dalias @riastradh I mean, yeah, basically any other (paid) option is better anyway. Also, if you're listening to the main linux-kernel list, you basically need paid level storage anyway.

@riastradh Thinking more about it, X-DKIM-Private-Key header is actually *needed* to fix the non-repudiation leak DKIM entails

Retroactively publishing keys still admits a non-repudiation attack by having (hashes of) emails notarized before the retroactive key publishing happens, possibly even doing so on receiving SMTP endpoint and prepending notary receipt to headers.