Per allowance by RFC
http://dkim.org/specs/rfc4871-dkimbase.html#dkim-sig-hdr 3.5
The DKIM-Signature Header Field
...
x=
Signature Expiration (plain-text unsigned decimal integer;
RECOMMENDED, default is no expiration). The format is the same as in the
"t=" tag, represented as an absolute date
...
ABNF:
sig-x-tag = %x78 [FWS] "=" [FWS] 1*12DIGIT
...
I'm specifying my DKIM keys' intended, target expiration date with "x=" in
the DNS TXT record,
e.g.,
selector._domainkey.example.com. 5 IN TXT (
"v=DKIM1; h=sha256; k=rsa; s=email; t=s; x=1525737600;"
"p=M...B;"
)
Testing my published records, all PASS -- no errors.
I understand that "x=" MAY be ignored by verifiers,
http://dkim.org/specs/rfc4871-dkimbase.html
6.1.1 Validate the Signature Header Field
...
Verifiers MAY ignore the DKIM-Signature header field and return
PERMFAIL (signature expired) if it contains an "x=" tag and the signature
has expired.
...
Looking at received/analyzed headers at a collection of mail recipient
servers, including a couple 'robust' mail providers,
gmail.com
fastmail.com
The message 'signing timestamp', "t=##########", *IS* present.
But, I do NOT see any evidence of "x=".
Testing with an "x=" <= 'signing timestamp', the messages are NOT rejected
by either of the recipient servers, so it appears they're not *USING*,
rather than simply not *REPORTING*, the "x=" tag for validity checks.
Are "x=" tags simply not in wide use for validity checks?
Or, is there additional config required in the DKIM record spec to
enaure/force its usage?
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops