* Al Iverson via mailop: > My answer to the question of why: To make it slightly harder for bad > guys to pick up and DKIM replay older messages.
The problem I see with trusting the x-tag is that one cannot be sure if the functionality is implemented, or if the tag is "honored" by third parties. What is both reliable and controlled by any sending party are their own DNS RRs. Delete the records for outdated DKIM selectors, and (barring caching errors) signatures can no longer be validated once the RR TTL has expired. How useful that is in the real world is debatable, but rolling DKIM keys automatically on a weekly basis, for example, requires nothing but a bit of creative scripting. -Ralph _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
