DKIM support

[hireahit]

Would it be possible to add a DKIM ADSP record similar to how SPF records are noted in a DNS Report?

[hall]

This is a great idea..... DNSStuff, hello?

[mike_keighley]

What ?  "Domain Keys" is a great idea ?  Don't make me laugh / hurl.

Or ?  "a tool to check and interpret DK records" is a great idea ?  Maybe.  How about some more detail to go on ?

[hireahit]

I thought the request was fairly straight forward: Show DKIM ADSP records similar to how SPF records are displayed in a DNS report.

In other words, report if a DKIM ADSP record exists or not, and the status of the record if it exists.

If you don't know what DKIM ADSP records are, you might want to look it up rather then looking confused.

[mike_keighley]

If you don't know what DKIM ADSP records are, you might want to look it up rather then looking confused.

Oh, I have a fair idea what they are, thanks.  What I am not so clear on is how wide adoption is, whether the effort would be justified, whether anything based on self-certified keys is ultimately worth the electrons it is signed with ...

Since you draw a comparison with SPF, however, I can't help noting that an ADSP seems to be merely a statement of signing policy by the sending domain.  Is it actually possible to do meaningful validation of an ADSP record itself, in the absence of a particular DKIM-signed email ?

[hireahit]

You apparently don't have a clue what DKIM ADSP records are or how they work -- Fair enough.

DKIM records themselves cannot be evaluated without seeing a signed message unless zone transfers are enabled since the name of the selector isn't otherwise known in advance.

DKIM ADSP records, on the other hand, allow a recipient to know whether or not to reject a message which either fails to validate, or isn't signed at all.  As a result, similar to SPF, the DKIM ADSP record is in a known location and does not require a correctly signed messages to retrieve the DKIM ADSP record.

I'd love to suggest verifying the existence and validity of DKIM records, but since this isn't possible without knowing the selector, it's probably more hassle then it's worth.

[dbass99]

Thanks for making the request.  We are always looking for ways to help our customer base with configuration and error checking. 

There are many RFC's that are currently being implemented by our users that may, as yet, not be an official standard.  We are are working on our tools and have discussed a possible method by which our users may be able to test records based on pure conformity to standards, conformity to popular proposed standards and/or general best practices.

Please feel free to send your ideas to our forum or directly to us in email.  We are listening and collecting every idea to review for our future features list.

Making the DKIM ADSP record visible like the SPF to know if it is unknown, all, or discardable would be of interest to certain people.