According to Viktor Dukhovni via mailop <mailop@mailop.org>: >> - Months later, they will forward the messages they've received from these >> lists, unmodified, to many (seemingly) random people, all at once > >How often can you reasonably rotate your DKIM signing keys (really >mint a new selector and key)?
Good thought. I happen to have a groups.io list and I see that they changed the selector at the end of February, but they still publish the DNS key for the old selector. Time to pull that plug. >> What I'm trying to understand is what they're hoping to accomplish. ... >Perhaps indeed sending legitimate messages somehow helps the spammer's >IP reputation. Rotating keys every couple of weeks may help, perhaps >this may also require DMARC "p=reject". My guess is similar, they somehow think that they can piggyback on your good reputation. I rotate my DKIM keys every month. The new keys go into the DNS on the 27th of the previous month, I rotate on the 1st, and I remove the old keys on the 10th. On the 10th I also publish the old private signing keys on a web server that the DNS key record pointed to. Anyone can forge signatures with my old keys so if you want to check them, better check them promptly. R's, John -- Regards, John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop