On 02/06/2023 08:45, Gellner, Oliver via mailop wrote: > the Google admin toolbox claims our DKIM keys and MTA-STS entries are > invalid. Example: > https://toolbox.googleapps.com/apps/checkmx/check?domain=dm.de&dkim_selector=dmglobal4 > reports "Invalid format of DKIM record" and "MTA STS is malformed". I cannot > find out what is invalid about them, can someone shed some light on this? Or > is the Google admin toolbox broken, or is it only designed for Gsuite domains > and expects some Google specific entries like it does for the SPF check?
It's very broken because it's making Recursion Desired DNS queries to my Authoritative DNS servers, and I drop those. Google then fails to implement RFC8461 correctly, despite authoring it: "The MTA-STS TXT record must comply with RFC8461 Multiple records found." I have these DNS records, which is valid because only one begins with "v=STSv1;": _mta-sts TXT "v=RFC7672; this obsession with PKIX must stop; use DANE" _mta-sts TXT "v=STSv1; id=0" It says this at the bottom, so it looks like it accepts my DKIM/DMARC records: "DKIM authentication DNS setup." "Formatting of DMARC policies." -- Simon Arlott _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop