Jim Fenton wrote:
If you still have the records, can you count the number of records
with g=; ? That's used in an example in some of the DomainKey specs
and works for DK but means "match nothing" for DKIM.
I was planning on doing an analysis of the key values anyway, so here goes.
65461 DNS _domainkey records were examined that did not contain syntax
errors. Of these, 37309 were used by DKIM and 46623 were used by
DomainKeys. (Some were used by both.) Of them, 2186 have v=DKIM1.
==== mistakes ====
As noted before, there were a number of mistakes found within the key
records. I found occurrences of all of these
DKIM=unknown O=- a=rsa-sha1
c=nofws c=relaxed/relaxed
d=SOMEDOMAIN dkim=all i=*
kv=DKIM1 o=- o=~
q=dns
If I trim the list down to the v=DKIM1 records, there are STILL errors:
c=relaxed/relaxed o=-
There are a few records that have r=EMAIL values in them.
==== legal keys ====
====== g= ======
The following valid g= values were used by DKIM:
g=
g=*
g=noreply
For v=DKIM1 records, it's just
g=*
g=noreply
This confirms the suggestion a couple meetings ago that vendors should
treat g= as equivalent to g=* if v=DKIM1 is not found.
There were NO cases of g=; found for v=DKIM1 records.
====== h= ======
The following valid h= values were used by DKIM. All of these were in
v=DKIM1 records:
h=sha1
h=sha1:sha256
h=sha256
A notable mistake was an entry with this value:
h=rsa-sha1
====== k= ======
The following valid k= values were used by DKIM.
k=rsa
A notable mistake was an entry with this value:
k=rsa-sha1
It was NOT the same record as the similar h= mistake.
====== n= ======
1879 of the records used n=.
====== s= ======
The value
s=email
was used in 33 records, 31 along with v=DKIM1.
====== t= ======
The following valid t= values were used by DKIM.
t=s
t=s:y
t=y
t=y:s
Of note are these two mistakes:
t=n
t=s|y
Hope people found this of interest.
Tony Hansen
tony(_at_)att(_dot_)com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html