![]() ![]() remote clients (not servers I'm talking about MUAs) that for whatever reasons want to check the DKIM-signature included in their old/archived e-mails, will fail the verification process (as the archived e-mail has been signed with a private-key whose public-one, the one published on the DNS, has been updated and now is different!). If you leave the selector unchanged while updating the RSA-key, than a side effect is that. Obviously it's critical that, when you update one side of the key (the public one, published on the DNS), you change also the other side (the one used to "sign" your outgoing mail) The RSA-key can be replaced/updated without any impact on the selector. Whatever._ IN TXT "k=rsa\ t=s\ p=MIGfMAAQAB"Īs you can see, the DNS-query is in the form. in your DNS you have to provide a TXT record for whatever._ publishing your RSA key, like in:.in the outgoing mail-header you need to reference your domain and related selector, like in:ĭKIM-Signature d= s=whatever.The RSA-key is published into your DNS, ok, but WHERE? Which DNS-query will retrieve it? How will they know which DNS query/record resolve? This is where the selector plays its role: if you are sending mail from the domain and, in your mail, you declare whatever as selector then: In other words, if you are sending a DKIM-signed e-mail, you have to tell external mail-servers HOW they can retrieve your RSA key to check the validity of your email. The receiving SMTP server uses the domain name and the selector to perform a DNS lookup the selector is a straightforward method to allow signers to add and remove keys whenever they wish." As you can read here ".A selector is added to the domain name, used to find DKIM public key information.".Īlso, in Wikipedia terms: ". ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2023
Categories |