Per allowance by RFC
The DKIM-Signature Header Field
Signature Expiration (plain-text unsigned decimal integer;
RECOMMENDED, default is no expiration). The format is the same as in the
"t=" tag, represented as an absolute date
sig-x-tag = %x78 [FWS] "=" [FWS] 1*12DIGIT
I'm specifying my DKIM keys' intended, target expiration date with "x=" in
the DNS TXT record,
selector._domainkey.example.com. 5 IN TXT (
"v=DKIM1; h=sha256; k=rsa; s=email; t=s; x=1525737600;"
Testing my published records, all PASS -- no errors.
I understand that "x=" MAY be ignored by verifiers,
6.1.1 Validate the Signature Header Field
Verifiers MAY ignore the DKIM-Signature header field and return
PERMFAIL (signature expired) if it contains an "x=" tag and the signature
Looking at received/analyzed headers at a collection of mail recipient
servers, including a couple 'robust' mail providers,
The message 'signing timestamp', "t=##########", *IS* present.
But, I do NOT see any evidence of "x=".
Testing with an "x=" <= 'signing timestamp', the messages are NOT rejected
by either of the recipient servers, so it appears they're not *USING*,
rather than simply not *REPORTING*, the "x=" tag for validity checks.
Are "x=" tags simply not in wide use for validity checks?
Or, is there additional config required in the DKIM record spec to
enaure/force its usage?
dkim-ops mailing list