ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Key rotation

2010-09-09 14:16:19

On Sep 9, 2010, at 9:57 AM, Mark Martinec wrote:

Mark Delany wrote:
I believe the general thrust is that DKIM keys are ephemeral
so no one should rely on there long-term presence. [...]

With each key there is an associated selector:domain pair,
so with a key rotation comes the change of a selector.
Such a purpose of a selector is clearly documented in the
DKIM rfc.

Rumor has is that some large players (such as Yahoo!) are
disregarding such ephemeral property of a selector and
are trying to associate a reputation scheme based on both
the domain *and* the selector.

I don't believe this is true. I think it's being disseminated
by bulk mail folks who don't really understand what a DKIM
selector is for and who love to speculate about the dead
goats and pentagrams used at large consumer ISPs.

There's endless speculation amongst bulk mailers about
the reputation tracking and spam filtering black boxes used
by the big consumer ISPs, and it's amazing how far off
into the weeds it gets ("AOL won't deliver email with a
pink background", "Gmail blocks all email with a facebook
URL", "Yahoo will block your mail if you change your
DKIM selector", ...)

If such approach catches up,
it would mean the end of a free choice of domains to roll up
new signing keys periodically.

Are my worries warranted?

I don't believe so. Without hard data or an official
statement from major ISPs that they're doing something
stupid with DKIM selectors I think you're safe to
ignore the issue.

Is there anything than can be
done about it to prevent such practice?

Ignore the FUD. Use d= as your reputation key, with 
subdomains for different mail streams. Leave selectors
for key rotation[1] and multiple sender support[2].

Cheers,
  Steve

[1] http://labs.wordtothewise.com/keydancer/

[2] http://dkimcore.org/deployment/esp.html
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>