Do you run a mail server, or own a domain example.com that you send mail from?
PSA about the Coming DKIMpocalypse on Thursday when Google and Yahoo tighten mail rules:
https://support.google.com/a/answer/81126?hl=en
https://senders.yahooinc.com/best-practices/
1/3. The mail server must sign outgoing mail with DKIM. You generate a key pair called “foo” (e.g., with opendkim-genkey), configure your mail server to use it, and publish the public key in the DNS like:
foo._domainkey.example.com. IN TXT (
"v=DKIM1; k=rsa; "
"p=..."
)
@riastradh Why just publish old ones retroactively when you could X-DKIM-Private-Key: in each mail?
@dalias Caveat: Gotta remember to make the signature the cover X-DKIM-Private-Key header field! Otherwise the leaker could just strip it off.
(Also, I suspect that if a lot of senders started doing this, Google might not find the idea as amusing as you and I do!)
@riastradh @dalias Looks like goodbye most of the vger.kernel.org and freedesktop.org mailing lists. GMail was already bouncing those most of the time anyway.
@chris @riastradh @dalias I added rua to my DMARC TXT record because I'm a fool and I keep getting SPF failures logged because...vger will forward emails from me that aren't sent from the server in the SPF records. I hope someone fixes that soon.
@chris @riastradh Or goodbye gmail, which has always been garbage for participating in lists (no threading).
@dalias @riastradh I mean, yeah, basically any other (paid) option is better anyway. Also, if you're listening to the main linux-kernel list, you basically need paid level storage anyway.
@riastradh Thinking more about it, X-DKIM-Private-Key header is actually *needed* to fix the non-repudiation leak DKIM entails
Retroactively publishing keys still admits a non-repudiation attack by having (hashes of) emails notarized before the retroactive key publishing happens, possibly even doing so on receiving SMTP endpoint and prepending notary receipt to headers.
@dalias @riastradh This historically allowed arbitrary impersonation of your domain because SPF is ignored if DMARC is enabled and DKIM is valid. You could encrypt it with a key that's mostly zero bits though.
I wrote up my tooling for publishing keys: