Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Why create a dummy wildcard DKIM record with an invalid/empty public key? Is this in some way different to an absent record?

EDIT: My reading of the RFC is that an absent DKIM record is a PERMFAIL [1], exactly the same result as a record with an empty p=. Exact quote:

"There is no defined semantic difference between a key that has been revoked and a key record that has been removed."

[1] https://www.ietf.org/rfc/rfc6376.txt, section 6.1.2



The reality is that an absent DKIM TXT record does not really tell whether the server-in-question is a legacy mail server or a new domain without mail servers (and you cannot do this with WHOIS filtering because some ccTLDs does not store when the domain was first acquired, only when it was last renewed). At least if you are putting a blank key, it will signal to supported mail servers that it is a positive fail, and not a possible legacy mail system.


A domain with a DMARC record specifying a strict DKIM checking policy and an absent DKIM record can't realistically be considered a legacy domain.


But DKIM has already existed since around 2004, but the first draft of DMARC was seven years after that. In other words, the empty DKIM is for backward compatibilty that signals to other servers which does not yet read DMARC but already does DKIM verification that this domain does not send emails.


If the message isn't signed, the receiver won't do a DKIM lookup. If the message is signed, whether the record is absent or empty doesn't matter, validation will fail.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: