[Top] [All Lists]

[dkim-ops] dkim key "x=" expiration tags -- not in wide use, or need additional config?

2018-01-01 15:24:26
Per allowance by RFC 3.5

        The DKIM-Signature Header Field

                Signature Expiration (plain-text unsigned decimal integer;
RECOMMENDED, default is no expiration). The format is the same as in the
"t=" tag, represented as an absolute date

                        sig-x-tag    = %x78 [FWS] "=" [FWS] 1*12DIGIT

I'm specifying my DKIM keys' intended, target expiration date with "x=" in
the DNS TXT record,
​ e.g.,​ 5 IN TXT (
      "v=DKIM1; h=sha256; k=rsa; s=email; t=s; x=1525737600;"

Testing my published records, all PASS -- no errors.

I understand that "x=" MAY be ignored by verifiers,

        6.1.1 Validate the Signature Header Field
            Verifiers MAY ignore the DKIM-Signature header field and return
PERMFAIL (signature expired) if it contains an "x=" tag and the signature
has expired.

Looking at received/analyzed headers at a collection of mail recipient
servers, including a couple 'robust' mail providers,

The message 'signing timestamp', "t=##########", *IS* present.

But, I do NOT see any evidence of "x=".

Testing with an "x=" <= 'signing timestamp', the messages are NOT rejected
by either of the recipient servers, so it appears they're not *USING*,
rather than simply not *REPORTING*, the "x=" tag for validity checks.

Are "x=" tags simply not in wide use for validity checks?

Or, is there additional config required in the DKIM record spec to
enaure/force its usage?
dkim-ops mailing list
<Prev in Thread] Current Thread [Next in Thread>