Am 07.06.2016 um 18:27 schrieb Steve Atkins: > The 2048 bit key plus the CNAME gives a reply packet big enough that > the UDP reply to a non-edns query is truncated. Retrying over TCP > works, but a DNS resolver that doesn't do TCP would just error out. > That's probably why the DKIM temperror. If you make your reply small > enough that a UDP reply works (either by not using the CNAME in the > same zone, or by using a slightly smaller key) I expect it'd go away.
Yes at some point it will start to work when sending to hotmail.com, outlook.com. Interestingly Google, Yahoo, AOL & Co don't seem to mind switching protocols during key retrieval. That explains why those ESPs that want you to set a CNAME from your zone pointing to a pubkey in their zone don't use 2048 bit keys yet. Simon _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop