Recent searches
Search options
Do you run a mail server, or own a domain example.com that you send mail from?
PSA about the Coming DKIMpocalypse on Thursday when Google and Yahoo tighten mail rules:
https://support.google.com/a/answer/81126?hl=en
https://senders.yahooinc.com/best-practices/
1/3. The mail server must sign outgoing mail with DKIM. You generate a key pair called “foo” (e.g., with opendkim-genkey), configure your mail server to use it, and publish the public key in the DNS like:
foo._domainkey.example.com. IN TXT (
"v=DKIM1; k=rsa; "
"p=..."
)
@riastradh Why just publish old ones retroactively when you could X-DKIM-Private-Key: in each mail? 
@riastradh Thinking more about it, X-DKIM-Private-Key header is actually *needed* to fix the non-repudiation leak DKIM entails
Retroactively publishing keys still admits a non-repudiation attack by having (hashes of) emails notarized before the retroactive key publishing happens, possibly even doing so on receiving SMTP endpoint and prepending notary receipt to headers.
@dalias @riastradh This historically allowed arbitrary impersonation of your domain because SPF is ignored if DMARC is enabled and DKIM is valid. You could encrypt it with a key that's mostly zero bits though.
I wrote up my tooling for publishing keys: