[dmarc-discuss] DKIM selectors (was: How does *this* mailing list interact with dmarc?)

Steven Chamberlain steven at pyro.eu.org
Fri Jun 22 13:38:00 PDT 2012

On 22/06/12 21:09, Franck Martin wrote:
> The important part is s= is for key rotation. Like with DNSSEC you are
> supposed to rotate your keys on a regular basis. Nobody does, but that's
> disaster waiting to happen, and then everyone willŠ

I do :)

Every month I generate a new DKIM key, publish it in DNS a few days
before the start of the month, and try to keep only this and the
previous month's key in DNS at a time.

That way I feel comfortable about using a shorter 1024-bit key (results
in a smaller DNS records, also making them less of a target for
bandwidth amplification attacks).  And it keeps me quite 'agile' in case
of compromise, or having to deal with cryptographic weaknesses someday
(like with the Debian openssl thing).

Steven Chamberlain
steven at pyro.eu.org

More information about the dmarc-discuss mailing list