Heho, > The inevitable questions about how bad the issues are. I.e. what > could happen?: > - My ip4 and ip6 reverse DNS records are not DNSSEC-signed. I could > ask my hosting provider if they can sign them. Could there be a > reason not to? > - I'm not DKIM-signing the MIME-Version header (marked as minor > issue). Well, as long as your mail gets delivered, it is not tooooo bad, is it? ;-)
More seriously; The indicators are more like "should improve" (stop- shield), "could improve" (road-block), and "fun-fact" (light bulb on 'ok'). Nobody will die (or rather: Have their mails not delivered) if your rDNS is not DNSSEC signed. But in an ideal world it should be. Naturally, non-fcrDNS is a lot worse than that; But then again, you should be able to interpret that when running a mail-server. ;-) For DKIM, btw, i got poked re: my rather RFC4871-ish interpretation; I revisited that to now only add a note (small light-bulb) if some headers in the 'think about doing it depending on your use-case'-frame introduced with RFC6376 are unsigned, while not signing From: now triggers a "should improve". > I'm happy to see my ed25519 dkim signatures are accepted by someone. > (: Fun story how the setup got to that, actually... during testing a tester had an RSA key marked as ed25519 in DNS, while signing with an actual ed25519 key; Lead to a lot more fine-grained evaluation in the tool, incl. plausibility checks for pubkeys in the DNS. With best regards, Tobias -- Dr.-Ing. Tobias Fiebig T +31 616 80 98 99 M tob...@fiebig.nl _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop