On 9/12/2025 6:37 am, Hannah Stern wrote:
IIRC it's part of the design of DKIM (both 1 and 2) that signatures are usable for validating only "soon" after the message has been originally sent/signed (ideally the "x" time of a DKIM1 signature, or the maximum validity period of a DKIM2 signature as defined by the drafts).
Sorry for the late reply. I have been unwell and am a bit behind on my mailing list reading.
Timely verification has never been anything more than a recommendation (6. Verifier Actions). The section you are referring to (3.1 Selectors) does refer to the removal of the public key after transitioning to a new selector, however, it is more a colloquial description of how keys may be managed than a set rule and imposes no specific requirements on implementation or use.
The spec is otherwise unspecific regarding key longevity and intentionally avoids dictating operational policies. When applying current best practice, rotating keys regularly, a strict application of 3.1 would see verifiers failing to verify messages that should be verifiable due to either company policy or applicable industry guidelines/requirements.
It should also be noted that the same section indicates signers are ill-advised to reuse selectors, yet that suggestion is routinely overlooked in favour of ease of deployment.
Regards, R. Latimer _______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
