Hi!
On 12/19/25 20:26, Inveigle.net wrote:
On 9/12/2025 6:37 am, Hannah Stern wrote:
IIRC it's part of the design of DKIM (both 1 and 2) that signatures
are usable for validating only "soon" after the message has been
originally sent/signed (ideally the "x" time of a DKIM1 signature, or
the maximum validity period of a DKIM2 signature as defined by the
drafts).
Sorry for the late reply. I have been unwell and am a bit behind on my
mailing list reading.
Timely verification has never been anything more than a recommendation
(6. Verifier Actions). The section you are referring to (3.1 Selectors)
does refer to the removal of the public key after transitioning to a new
selector, however, it is more a colloquial description of how keys may
be managed than a set rule and imposes no specific requirements on
implementation or use.
Yes, I can see this.
As far as I understand the latest DKIM2 draft, a signature does have a
mandatory timestamp. There's no expiry timestamp anymore (unlike DKIM1
"x"). Verifiers just "MAY ignore" signatures older than 14 days (I'd
think that would mean a fail because just ignoring this one signature
and going on with other signatures may not make much sense anymore, at
least if the full chain is validated).
The spec is otherwise unspecific regarding key longevity and
intentionally avoids dictating operational policies. When applying
current best practice, rotating keys regularly, a strict application of
3.1 would see verifiers failing to verify messages that should be
verifiable due to either company policy or applicable industry
guidelines/requirements.
It should also be noted that the same section indicates signers are ill-
advised to reuse selectors, yet that suggestion is routinely overlooked
in favour of ease of deployment.
I've not seen advise about not reusing selectors at least in the latest
draft-clayton-dkim2-spec (v5).
Regards,
R. Latimer
Kind regards,
Hannah.
--
Hannah Stern
Software Developer
Mail Transfer Development
1&1 Mail & Media Development & Technology GmbH | | |
Phone: +49 721 91374-4519
E-Mail: [email protected] | Web: www.mail-and-media.com www.gmx.net
www.web.de www.mail.com www.united-internet-media.de
Hauptsitz Montabaur, Amtsgericht Montabaur, HRB 5452
Geschäftsführer: Alexander Charles, Dr. Michael Hagenau, Thomas Ludwig,
Dr. Verena Patzelt
Member of United Internet
Diese E-Mail kann vertrauliche und/oder gesetzlich geschützte
Informationen enthalten. Wenn Sie nicht der bestimmungsgemäße Adressat
sind oder diese E-Mail irrtümlich erhalten haben, unterrichten Sie bitte
den Absender und vernichten Sie diese E-Mail. Anderen als dem
bestimmungsgemäßen Adressaten ist untersagt, diese E-Mail zu speichern,
weiterzuleiten oder ihren Inhalt auf welche Weise auch immer zu verwenden.
This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient of this e-mail, you are hereby
notified that saving, distribution or use of the content of this e-mail
in any way is prohibited. If you have received this e-mail in error,
please notify the sender and delete the e-mail.
_______________________________________________
Ietf-dkim mailing list -- [email protected]
To unsubscribe send an email to [email protected]
