Re: [exim-dev] [exim-cvs] cvs commit: exim/exim-doc/doc-docb…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Tom Kistner
Date:  
À: exim-dev
Sujet: Re: [exim-dev] [exim-cvs] cvs commit: exim/exim-doc/doc-docbook spec.xfptexim/exim-doc/doc-txt ChangeLog experimental-spec.txt
Phil Pennock wrote:

> Does this mean that DomainKeys support disappears with 4.70?


Yes.

> Since in 4.69, in practice it's DomainKeys or DKIM but not both when


I had put code that enables parallel DKIM/Domainkeys usage in CVS, but
sadly, I think it was never released.

> signing outbound mail (DKIM silently ignored) what is the migration
> strategy for sites currently using DomainKeys? Do they need to get DKIM
> support built in 4.69 and just stop using DomainKeys?


Ahem, yes. I'm afraid there is only a direct Domainkeys->DKIM migration.
Both having been EXPERIMENTAL_ features, one is now being removed while
the other gets full blessing (and a native implementation).

> The issue I'm wary of is remote sites which use reputation systems for
> senders that track whether a domain uses DomainKeys and how reliably it
> does so; if a domain stops DomainKeys usage without first ramping up
> DKIM usage to establish a history of that, this might affect
> deliverability to some of the larger email providers.


Hrrrm. I wasn't aware that reputation systems are so advanced :)

You can pull last week's exim-src from CVS, it will have parallel
DKIM/Domainkeys support via the appropriate libraries. Now I know that
this is not a solution for everyone, but I think you are a special case
anyway :)

> For me, I'm still using DomainKeys because of all the fuss over the
> standardisation of signing-policy-in-DNS preventing a useful policy for
> DKIM from being published. Ie, _domainkey.spodhuis.org exists and when
> I last checked there wasn't an equivalent for DKIM;
> _adsp._domainkey.spodhuis.org looks like it would be the current
> mechanism, but who uses that?


Not sure. I don't :). I think it's more important that people start
signing first.

> Until there are signing policies in DNS for DKIM and those are used in
> practice, can DomainKeys be dropped?


I think it can. Sometimes it's better to give people a nudge in the
right direction. The new DKIM support is built by default. Basic logging
of signature status is also enabled by default. This will give DKIM much
more visibility, and hopefully more people will start signing as well.


/tom