On Fri, 10 May 2024 10:47:43 +0100, Stuart Henderson <s...@spacehopper.org> wrote: > > On 2024/05/10 11:40, Matthieu Herrb wrote: > > > > Afaict dkimpproxy is not using opendkim but p5-Mail-DKIM. dkimproxy > > itself also hasn't seen a update since many years, but the underlying > > perl lib has been last updated last january (and could use an update > > in the port). > > > > So unless you imply that because many people use opendkim, ed25519 > > based signatures shouldn't be used at all I'm not sure I understand > > what you're saying. > > ed25519 can be used, but at the moment if you do use it, you probably > want to be double-signing with both that + rsa-sha256. >
I imply that using ed25519 usually leads to malformed signature, and some big hosting providers treat double signature as bad signature if some of them are not RSA-SHA256. A notable example is icloud.com, which delivers all emails with double signatures to the junk folder. At least that's what they did the last time I checked in December'23. So I suggest to put in README and config exmaple that using anything other than RSA-SHA256 may lead to delivery email to thte junk. Unfortunately, this includes duble signatures as well. -- wbr, Kirill