[dmarc-discuss] DKIM selectors (was: How does *this* mailing list interact with dmarc?)

Steven Chamberlain steven at pyro.eu.org
Fri Jun 22 13:38:00 PDT 2012


On 22/06/12 21:09, Franck Martin wrote:
> The important part is s= is for key rotation. Like with DNSSEC you are
> supposed to rotate your keys on a regular basis. Nobody does, but that's
> disaster waiting to happen, and then everyone willŠ

I do :)

Every month I generate a new DKIM key, publish it in DNS a few days
before the start of the month, and try to keep only this and the
previous month's key in DNS at a time.

That way I feel comfortable about using a shorter 1024-bit key (results
in a smaller DNS records, also making them less of a target for
bandwidth amplification attacks).  And it keeps me quite 'agile' in case
of compromise, or having to deal with cryptographic weaknesses someday
(like with the Debian openssl thing).

Regards,
-- 
Steven Chamberlain
steven at pyro.eu.org


More information about the dmarc-discuss mailing list