Re: [mailop] Unbound configuration for DNSBL ?

[Renaud Allard via mailop]

On 3/27/23 16:46, Cyril - ImprovMX via mailop wrote:


Using OpenDNS in between shouldn't be an issue since we use a key to 
query SpamHaus that is specific to us. OpenDNS relay that query so we 
are properly identified at Spamhaus and aren't doing anything trickery.
We've seen the configuration with them and they haven't raised any 
issues with it.




If you are using a DNS key from spamhaustech, there is no technical 
problem in using OpenDNS. Although you should probably query the servers 
yourself as OpenDNS won't really add any value to your queries and you 
have no means to control what they answer you, or don't really know what 
they are doing in terms of caching, etc. Also, with mails, having a few 
more milliseconds of delays won't do anything bad, so there is no need 
to search for the fastest DNS provider, it's better to have full control 
on your queries.


smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] mailgun anybody? (variable sender address) time

[Bill Cole via mailop]

On 2023-03-27 at 06:46:04 UTC-0400 (Mon, 27 Mar 2023 13:46:04 +0300)
Lena--- via mailop 
is rumored to have said:

[...]
For NS I currently use the registrar. Its web-interface allowed me to 
create

the TXT record for a selector. The parent _domainkey - NXDOMAIN.


So this isn't what you're referring to?

# dig _domainkey.lena.kiev.ua

; <<>> DiG 9.18.12 <<>> _domainkey.lena.kiev.ua
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11967
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1




--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] NS DKIM

[Lena--- via mailop]

> That (sub)domain is not DNSSEC signed, thus it will work with
> (many) recursive resolvers for some time. DNSSEC mandates
> NoDATA for empty non terminals, thus there can be problem
> once it become signed (and SW and/or admin will not be
> upgraded).

Okay, I created a TXT record for the parent _domainkey .
Though I'm sure that most other users of such registrar's web-interfaces
wouldn't do that.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] NS DKIM

[Slavko via mailop]

Dňa 27. marca 2023 17:06:55 UTC používateľ Alessandro Vesely via mailop 
 napísal:
>On Mon 27/Mar/2023 18:25:24 +0200 Brad Beyenhof via mailop wrote:
>> On 3/27/23, 9:18 AM, "mailop on behalf of Heiko Schlittermann via mailop" 
>> mailto:mailop-boun...@mailop.org> on behalf of 
>> mailop@mailop.org > wrote:
>>> Lena--- via mailop mailto:mailop@mailop.org>> (Mo 27 
>>> Mär 2023 17:40:29 CEST):
> If the DNS name xxx._domainkey.example.com exists, then
> _domainkey.example.com exists too.
 
 dig 3._domainkey.lena.kiev.ua txt
 3._domainkey.lena.kiev.ua. 66633 IN TXT "v=DKIM1; p=MIGfMA0GCSqGSIb...
 
 dig _domainkey.lena.kiev.ua txt
 ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57410
>>> 
>>> Reading https://www.rfc-editor.org/rfc/rfc8020#section-3.1 
>>> 
>>> this should not happen, shouldn't it?
>> 
>> It's possible that `3._domainkey` is a dotted record in the DNS zone for 
>> `lena.kiev.ua`, and `_domainkey.lena.kiev.ua` isn't set up as its own zone.
>
>
>Isn't that the usual way to do it?  I certainly didn't create a new zone for 
>_domainkey.  Yet, I have (using bind):

Yes, that is as empty non terminals appears.

AFAIK zone is something what has own SOA, and once
something has SOA (or any other record) it is not empty
anymore ;-)

regards


-- 
Slavko
https://www.slavino.sk/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] NS DKIM

[Alessandro Vesely via mailop]

On Mon 27/Mar/2023 18:25:24 +0200 Brad Beyenhof via mailop wrote:

On 3/27/23, 9:18 AM, "mailop on behalf of Heiko Schlittermann via mailop" 
mailto:mailop-boun...@mailop.org> on behalf of mailop@mailop.org 
> wrote:

Lena--- via mailop mailto:mailop@mailop.org>> (Mo 27 Mär 
2023 17:40:29 CEST):

If the DNS name xxx._domainkey.example.com exists, then
_domainkey.example.com exists too.


dig 3._domainkey.lena.kiev.ua txt
3._domainkey.lena.kiev.ua. 66633 IN TXT "v=DKIM1; p=MIGfMA0GCSqGSIb...

dig _domainkey.lena.kiev.ua txt
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57410


Reading https://www.rfc-editor.org/rfc/rfc8020#section-3.1 

this should not happen, shouldn't it?


It's possible that `3._domainkey` is a dotted record in the DNS zone for 
`lena.kiev.ua`, and `_domainkey.lena.kiev.ua` isn't set up as its own zone.



Isn't that the usual way to do it?  I certainly didn't create a new zone for 
_domainkey.  Yet, I have (using bind):


; <<>> DiG 9.16.37-Debian <<>> _domainkey.tana.it any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18450
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1


Best
Ale
--




___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] NS DKIM

[Slavko via mailop]

Dňa 27. marca 2023 16:13:35 UTC používateľ Heiko Schlittermann via mailop 
 napísal:
>Lena--- via mailop  (Mo 27 Mär 2023 17:40:29 CEST):

>> dig _domainkey.lena.kiev.ua txt
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57410
>
>Reading https://www.rfc-editor.org/rfc/rfc8020#section-3.1
>this should not happen, shouldn't it?

Do you really see first time that somewhere is old or not RFC
compliant implementation? BTW RFC 8020 is not as old, to
this be surprise...

That (sub)domain is not DNSSEC signed, thus it will work with
(many) recursive resolvers for some time. DNSSEC mandates
NoDATA for empty non terminals, thus there can be problem
once it become signed (and SW and/or admin will not be
upgraded).

regards


-- 
Slavko
https://www.slavino.sk/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] NS DKIM

[Brad Beyenhof via mailop]

On 3/27/23, 9:18 AM, "mailop on behalf of Heiko Schlittermann via mailop" 
mailto:mailop-boun...@mailop.org> on behalf of 
mailop@mailop.org > wrote:
> Lena--- via mailop mailto:mailop@mailop.org>> (Mo 27 Mär 
> 2023 17:40:29 CEST):
> > > If the DNS name xxx._domainkey.example.com exists, then
> > > _domainkey.example.com exists too.
> > 
> > dig 3._domainkey.lena.kiev.ua txt
> > 3._domainkey.lena.kiev.ua. 66633 IN TXT "v=DKIM1; p=MIGfMA0GCSqGSIb...
> > 
> > dig _domainkey.lena.kiev.ua txt
> > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57410
> 
> Reading https://www.rfc-editor.org/rfc/rfc8020#section-3.1 
> 
> this should not happen, shouldn't it?

It's possible that `3._domainkey` is a dotted record in the DNS zone for 
`lena.kiev.ua`, and `_domainkey.lena.kiev.ua` isn't set up as its own zone.

-- 
Brad Beyenhof 
Systems Wrangler 
ServiceNow 
O: 858.480.8643 
M: 619.990.0680

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] NS DKIM

[Heiko Schlittermann via mailop]

Lena--- via mailop  (Mo 27 Mär 2023 17:40:29 CEST):
> > If the DNS name xxx._domainkey.example.com exists, then
> > _domainkey.example.com exists too.
> 
> dig 3._domainkey.lena.kiev.ua txt
> 3._domainkey.lena.kiev.ua. 66633 IN TXT "v=DKIM1; p=MIGfMA0GCSqGSIb...
> 
> dig _domainkey.lena.kiev.ua txt
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57410

Reading https://www.rfc-editor.org/rfc/rfc8020#section-3.1
this should not happen, shouldn't it?

-- 
Heiko


signature.asc
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] NS DKIM

[Lena--- via mailop]

> If the DNS name xxx._domainkey.example.com exists, then
> _domainkey.example.com exists too.

dig 3._domainkey.lena.kiev.ua txt
3._domainkey.lena.kiev.ua. 66633 IN TXT "v=DKIM1; p=MIGfMA0GCSqGSIb...

dig _domainkey.lena.kiev.ua txt
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57410

`dig @8.8.8.8` tells the same. `dig +trace 3._dom...` works.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Unbound configuration for DNSBL ?

[Cyril - ImprovMX via mailop]

Thank you for the follow ups.

@Michael why the suggestion to use something else? I think it would just
move the issue elsewhere without fixing it.

@Renaud that's exactly what we are currently doing; we are working on a
partnership with Spamhaus to set up a paid account with them in order to
have full access to their data while respecting their fair usage. Our idea
here is to have a good compromise between using the paid versions of
SpamHaus while having a nice cache system in place in order to optimize our
requests, hence my email.

Using OpenDNS in between shouldn't be an issue since we use a key to query
SpamHaus that is specific to us. OpenDNS relay that query so we are
properly identified at Spamhaus and aren't doing anything trickery.
We've seen the configuration with them and they haven't raised any issues
with it.

Le lun. 27 mars 2023 à 16:25, Renaud Allard via mailop 
a écrit :

>
>
> On 3/27/23 11:17, Cyril - ImprovMX via mailop wrote:
> > Hi everyone!
> >
> > We have a few SpamAssassin servers running that test against services
> > such as SpamHaus, URIBL, etc.
> > We often have our queries blocked because we go beyond the free usage.
> >
> > As such, we started a trial with SpamHaus, and the result is that we
> > query around 8M times per day.
> >
> > Our current infrastructure is a set of SA servers that use our (local
> > network) DNS server - Unbound, to optimize the queries (caching and the
> > like).
> >
> > I'm not an expert on Unbound and would love your input on how we can
> > fine-tune it to work better on caching the requests made to SpamHaus and
> > reducing the number of queries we are doing.
> >
> > Right now, here's our Unbound.conf file:
> > https://pastebin.com/PZWUn4My 
> >
> > Just in case, here's our current SA file:
> > https://pastebin.com/E2y1Yqm8 
> >
> > If any of you have any suggestions on how we can optimize these
> > configurations, I'd love to have your feedback!
> >
> Making DNSBL queries through open DNS servers is forbidden/discouraged
> by most of the DNSBL providers. Obviously, you are not alone doing it,
> so those servers are making a lot of queries and get rate limited/banned.
>
> Setting your cache-min-ttl higher than what is told by the DNS servers
> might improve your caching, but might also cause false positives if the
> IP has been removed from the list. And setting a cache-max-ttl isn't
> going to improve anything, all the contrary.
>
> Please also be aware that many DNSBL providers have subscriptions for
> commercial senders like you, and that's probably the way to go. If you
> cannot afford paying for them, maybe your pricing model is wrong.
>
> There are obvious ways to bypass rate limiting (although it probably
> doesn't scale that well), but I am not going to divulge that as this is
> the best way to get many free lists non free anymore.
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Unbound configuration for DNSBL ?

[Renaud Allard via mailop]

On 3/27/23 11:17, Cyril - ImprovMX via mailop wrote:

Hi everyone!

We have a few SpamAssassin servers running that test against services 
such as SpamHaus, URIBL, etc.

We often have our queries blocked because we go beyond the free usage.

As such, we started a trial with SpamHaus, and the result is that we 
query around 8M times per day.


Our current infrastructure is a set of SA servers that use our (local 
network) DNS server - Unbound, to optimize the queries (caching and the 
like).


I'm not an expert on Unbound and would love your input on how we can 
fine-tune it to work better on caching the requests made to SpamHaus and 
reducing the number of queries we are doing.


Right now, here's our Unbound.conf file:
https://pastebin.com/PZWUn4My 

Just in case, here's our current SA file:
https://pastebin.com/E2y1Yqm8 

If any of you have any suggestions on how we can optimize these 
configurations, I'd love to have your feedback!


Making DNSBL queries through open DNS servers is forbidden/discouraged 
by most of the DNSBL providers. Obviously, you are not alone doing it, 
so those servers are making a lot of queries and get rate limited/banned.


Setting your cache-min-ttl higher than what is told by the DNS servers 
might improve your caching, but might also cause false positives if the 
IP has been removed from the list. And setting a cache-max-ttl isn't 
going to improve anything, all the contrary.


Please also be aware that many DNSBL providers have subscriptions for 
commercial senders like you, and that's probably the way to go. If you 
cannot afford paying for them, maybe your pricing model is wrong.


There are obvious ways to bypass rate limiting (although it probably 
doesn't scale that well), but I am not going to divulge that as this is 
the best way to get many free lists non free anymore.


smime.p7s
Description: S/MIME Cryptographic Signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] mailgun anybody? (variable sender address) time

[Slavko via mailop]

Dňa 27. marca 2023 13:20:06 UTC používateľ Heiko Schlittermann via mailop 
 napísal:

>If the DNS name xxx._domainkey.example.com exists, then
>_domainkey.example.com exists too. It doesn't have any data (no TXT, A,
>AAA, … record). But asking for _domainkey.example.com must not return
>NXDOMAIN then.

I agree, by theory and by RFC, but despite that i meet that
NXDOMAIN (even from payed service) in real word and
it was main reason to change that DNS provider. Now it
works as expected (and as you and RFC describes).

If you want to reproduce that broken behaviour with
PowerDNS you can (i dont use PowerDNS, thus only
from my tests and from head -- can be incomplete):

1. create "some" zone with SQL backend (SQLite is enough)
2. setup DNSSEC with NSEC3 and sign it
3. point your DNS to it (i did it via Unbound, including DNSSEC related things)
4. verify that it works, including DNSSEC, eg. via dig
5. add records, including empty non-terminals (ENT), eg. these DKIM records, 
directly via SQL
6. try to fetch the new records and you will see NXDOMAIN for ENT

One have to run "magic" PowerDNS's command to
fix/regenerate things after direct SQL manipulation
(which i don't remember too). If zone is backed in file,
that is fixed automatically, but not with SQL (at least
was not about 1,5 year ago, when i try it).

BTW, that i was able to do only with help of people
from #DNS IRC channel...

Of course, make sure that you didn't disabled that
"nothing below" (RFC 8020) in resolver, which is AFAIK
enabled by default in Unbound (harden-below-nxdomain)
and was enabled on some public DNSs resolvers too in
that time (i used them to verify, that my resolver is not
wrong in this).

regards


-- 
Slavko
https://www.slavino.sk/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] mailgun anybody? (variable sender address) time

[Heiko Schlittermann via mailop]

Slavko via mailop  (Mo 27 Mär 2023 14:37:54 CEST):
> That problem is more visible with DNSSEC and
> DNS "nothing under" (sorry i don't remember exact
> name nor RFC). The result is, that when _domainkey
> returns NXDOMAIN, anything under it is considered
> as NXDOMAIN too...

If the DNS name xxx._domainkey.example.com exists, then
_domainkey.example.com exists too. It doesn't have any data (no TXT, A,
AAA, … record). But asking for _domainkey.example.com must not return
NXDOMAIN then.

Compare the output (stripped by me)

dig _domainkey.amazon.com
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38009
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

dig _domainkey.example.com
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44893
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

Zero answers in both cases, but the status' differ. That's the key point,
from *my* PoV.

Simple clients will report "not found / not existing" in both cases.
So from that point that's no difference.


Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
 SCHLITTERMANN.de  internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --- key ID: F69376CE -


signature.asc
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] mailgun anybody? (variable sender address) time

[Slavko via mailop]

Dňa 27. marca 2023 11:10:58 UTC používateľ Heiko Schlittermann via mailop 
 napísal:

>Do you have an example where ._domainkey. exists, but
>_domainkey. returns NXDOMAIN?

Yes, my previous DNS provider had that broken their
DNS server(s). I had to create dummy TXT record for
_.domainkey to get my DKIM keys to work.

The worst part was, that they was not able to fix it,
and blamed PowerDNS. When i prove them, that it
is their misconfiguration (or lack of understanding?),
they stops to respond. I changed DNS provider about
year ago, thus i have no example now.

That problem is more visible with DNSSEC and
DNS "nothing under" (sorry i don't remember exact
name nor RFC). The result is, that when _domainkey
returns NXDOMAIN, anything under it is considered
as NXDOMAIN too...

regards


-- 
Slavko
https://www.slavino.sk/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Unbound configuration for DNSBL ?

[Slavko via mailop]

Dňa 27. marca 2023 9:17:27 UTC používateľ Cyril - ImprovMX via mailop 
 napísal:

>Right now, here's our Unbound.conf file:
>https://pastebin.com/PZWUn4My

If i understand that correctly, you are forwarding all
requests to OpenDNS. I am not sure if any tweaking
will do any/big difference, as OpenDNS does caching
for you (i guess).

You have max TTL pretty low, but for above mentioned
reason, it doesn't really matter.

If you really want to get DNS queries under own control,
do not delegate them to the third party... And filter
what you are quering, eg. do not query RBL for known
mail providers, as it is mostly useless, but i do not
know if/how it is possible in SA.

regards


-- 
Slavko
https://www.slavino.sk/
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] mailgun anybody? (variable sender address) time

[Heiko Schlittermann via mailop]

Lena--- via mailop  (Mo 27 Mär 2023 12:46:04 CEST):
> > > > They have SPF, but no DKIM (NXDOMAIN for the _domainkey.bsi.de)
> > > > Or did I miss something?
> > > 
> > > The DKIM keys would be at ._domainkey.bsi.de
> > 
> > Yes, but as long as the parent of *any* selector does not exist, there
> > is a very good chance, that not any selector exists.
> > 
> > If the query for _domainkey.bsi.de would return a no-data answer, than
> > I can assume that they have someing below that name (most probably
> > selectors I do not know until I get a mail from them.)
> 
> For NS I currently use the registrar. Its web-interface allowed me to create
> the TXT record for a selector. The parent _domainkey - NXDOMAIN.

Do you have an example where ._domainkey. exists, but
_domainkey. returns NXDOMAIN?

-- 
Heiko


signature.asc
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] mailgun anybody? (variable sender address) time

[hg user via mailop]

Yes I do but when the phishing is in italian I know (and use) one
updated sources of patterns but sometimes it is late...

Just as an example, a little bit of one body rule I wrote:

clicca qui per (verificare|confermare|favore|riconvalidare|aggiornare)
(la tua e-mail|il tuo account)

in english it sounds like

click here to (verify|confirm|reconfirm|update) (your email|your account)

The rule has a score of 5.7 (5.6 is spam) but sometimes, when no rbl
is fired and it is a never seen before wording unknown to bayes,
DKIM/DMARC negative score don't flag the message.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] mailgun anybody? (variable sender address) time

[Lena--- via mailop]

> > > They have SPF, but no DKIM (NXDOMAIN for the _domainkey.bsi.de)
> > > Or did I miss something?
> > 
> > The DKIM keys would be at ._domainkey.bsi.de
> 
> Yes, but as long as the parent of *any* selector does not exist, there
> is a very good chance, that not any selector exists.
> 
> If the query for _domainkey.bsi.de would return a no-data answer, than
> I can assume that they have someing below that name (most probably
> selectors I do not know until I get a mail from them.)

For NS I currently use the registrar. Its web-interface allowed me to create
the TXT record for a selector. The parent _domainkey - NXDOMAIN.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] mailgun anybody? (variable sender address) time

[Jaroslaw Rafa via mailop]

Dnia 26.03.2023 o godz. 17:24:32 Grant Taylor via mailop pisze:
> 
> Or are you referring to IPs that two different names resolve to?

Yes, I do. I have only one server. Of course, I can try to work around this,
for example I can put my friend's server (that I know does not have any mail
service on it) as a first MX, or I can put the address of my home Internet
connection (I happen to have a static one) - also no mail service there. But
these are poor workarounds for me.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] Unbound configuration for DNSBL ?

[Cyril - ImprovMX via mailop]

Hi everyone!

We have a few SpamAssassin servers running that test against services such
as SpamHaus, URIBL, etc.
We often have our queries blocked because we go beyond the free usage.

As such, we started a trial with SpamHaus, and the result is that we query
around 8M times per day.

Our current infrastructure is a set of SA servers that use our (local
network) DNS server - Unbound, to optimize the queries (caching and the
like).

I'm not an expert on Unbound and would love your input on how we can
fine-tune it to work better on caching the requests made to SpamHaus and
reducing the number of queries we are doing.

Right now, here's our Unbound.conf file:
https://pastebin.com/PZWUn4My

Just in case, here's our current SA file:
https://pastebin.com/E2y1Yqm8

If any of you have any suggestions on how we can optimize these
configurations, I'd love to have your feedback!

Thank you !
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] mailgun anybody? (variable sender address) time

[Heiko Schlittermann via mailop]

Gellner, Oliver via mailop  (So 26 Mär 2023 10:46:22 CEST):
> >;; Got answer:
> >;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16687
> >   
> >
> > They have SPF, but no DKIM (NXDOMAIN for the _domainkey.bsi.de)
> > Or did I miss something?
> 
> The DKIM keys would be at ._domainkey.bsi.de

Yes, but as long as the parent of *any* selector does not exist, there
is a very good chance, that not any selector exists.

If the query for _domainkey.bsi.de would return a no-data answer, than
I can assume that they have someing below that name (most probably
selectors I do not know until I get a mail from them.)

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
 SCHLITTERMANN.de  internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --- key ID: F69376CE -


signature.asc
Description: PGP signature
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop