On 10/15/25 1:03 PM, ed bennett wrote:
I spent a lot of time searching for pages about DMARC and DKIM. I found a lot
of conflicting information, a lack of information and so forth.
But I did not find anything about needing to split up the keys this way. Of
course my DKIM attempts simply failed and I had no idea why.
For everything mail, my go-to is always the RFCs. This is covered in the
RFC:
https://www.rfc-editor.org/rfc/rfc8301#section-1
You can also use this site as a great place for just these sorts of things:
https://explained-from-first-principles.com/email/
It seems notable that RSA 1024-bit is still part of the standard. My
understanding is that it is still difficult to brute-force an RSA
1024-bit key and I've yet to see anyone produce a good reason to use
2048-bit for DKIM signing as the benefit seems rather low. I've
configured several servers to sign using RSA 1024-bit and Ed25519, so
the server follows the standards, doesn't have DNS-related issues, and a
signature is stronger than RSA 2048-bit.
Paul
