Jim Fenton wrote: > If you still have the records, can you count the number of records > with g=; ? That's used in an example in some of the DomainKey specs > and works for DK but means "match nothing" for DKIM.
I was planning on doing an analysis of the key values anyway, so here goes. 65461 DNS _domainkey records were examined that did not contain syntax errors. Of these, 37309 were used by DKIM and 46623 were used by DomainKeys. (Some were used by both.) Of them, 2186 have v=DKIM1. ==== mistakes ==== As noted before, there were a number of mistakes found within the key records. I found occurrences of all of these DKIM=unknown O=- a=rsa-sha1 c=nofws c=relaxed/relaxed d=SOMEDOMAIN dkim=all i=* kv=DKIM1 o=- o=~ q=dns If I trim the list down to the v=DKIM1 records, there are STILL errors: c=relaxed/relaxed o=- There are a few records that have r=EMAIL values in them. ==== legal keys ==== ====== g= ====== The following valid g= values were used by DKIM: g= g=* g=noreply For v=DKIM1 records, it's just g=* g=noreply This confirms the suggestion a couple meetings ago that vendors should treat g= as equivalent to g=* if v=DKIM1 is not found. There were NO cases of g=; found for v=DKIM1 records. ====== h= ====== The following valid h= values were used by DKIM. All of these were in v=DKIM1 records: h=sha1 h=sha1:sha256 h=sha256 A notable mistake was an entry with this value: h=rsa-sha1 ====== k= ====== The following valid k= values were used by DKIM. k=rsa A notable mistake was an entry with this value: k=rsa-sha1 It was NOT the same record as the similar h= mistake. ====== n= ====== 1879 of the records used n=. ====== s= ====== The value s=email was used in 33 records, 31 along with v=DKIM1. ====== t= ====== The following valid t= values were used by DKIM. t=s t=s:y t=y t=y:s Of note are these two mistakes: t=n t=s|y Hope people found this of interest. Tony Hansen t...@att.com _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html