Mailing List Archive: exim: dev

Re: [exim-cvs] cvs commit: exim/exim-doc/doc-docbook spec.xfpt exim/exim-doc/doc-txt ChangeLog experimental-spec.txt

Index | Next | Previous | View Threaded

exim-dev at spodhuis

Jun 12, 2009, 4:00 PM

Post #1 of 3 (869 views)
Permalink

Re: [exim-cvs] cvs commit: exim/exim-doc/doc-docbook spec.xfpt exim/exim-doc/doc-txt ChangeLog experimental-spec.txt

On 2009-06-11 at 15:07 +0100, Tom Kistner wrote:
> tom 2009/06/11 15:07:57 BST
>
> Modified files:
> exim-doc/doc-docbook spec.xfpt
> exim-doc/doc-txt ChangeLog experimental-spec.txt
> Log:
> DKIM docs WIP

> Index: experimental-spec.txt
> ===================================================================

> -0. DKIM support

> -1. Yahoo DomainKeys support

Does this mean that DomainKeys support disappears with 4.70?

Since in 4.69, in practice it's DomainKeys or DKIM but not both when
signing outbound mail (DKIM silently ignored) what is the migration
strategy for sites currently using DomainKeys? Do they need to get DKIM
support built in 4.69 and just stop using DomainKeys?

The issue I'm wary of is remote sites which use reputation systems for
senders that track whether a domain uses DomainKeys and how reliably it
does so; if a domain stops DomainKeys usage without first ramping up
DKIM usage to establish a history of that, this might affect
deliverability to some of the larger email providers.

For me, I'm still using DomainKeys because of all the fuss over the
standardisation of signing-policy-in-DNS preventing a useful policy for
DKIM from being published. Ie, _domainkey.spodhuis.org exists and when
I last checked there wasn't an equivalent for DKIM;
_adsp._domainkey.spodhuis.org looks like it would be the current
mechanism, but who uses that?

Until there are signing policies in DNS for DKIM and those are used in
practice, can DomainKeys be dropped?

-Phil

--
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

tom at duncanthrax

Jun 13, 2009, 2:48 AM

Post #2 of 3 (782 views)
Permalink

Re: [exim-cvs] cvs commit: exim/exim-doc/doc-docbook spec.xfpt exim/exim-doc/doc-txt ChangeLog experimental-spec.txt [In reply to]

Phil Pennock wrote:

> Does this mean that DomainKeys support disappears with 4.70?

Yes.

> Since in 4.69, in practice it's DomainKeys or DKIM but not both when

I had put code that enables parallel DKIM/Domainkeys usage in CVS, but
sadly, I think it was never released.

> signing outbound mail (DKIM silently ignored) what is the migration
> strategy for sites currently using DomainKeys? Do they need to get DKIM
> support built in 4.69 and just stop using DomainKeys?

Ahem, yes. I'm afraid there is only a direct Domainkeys->DKIM migration.
Both having been EXPERIMENTAL_ features, one is now being removed while
the other gets full blessing (and a native implementation).

> The issue I'm wary of is remote sites which use reputation systems for
> senders that track whether a domain uses DomainKeys and how reliably it
> does so; if a domain stops DomainKeys usage without first ramping up
> DKIM usage to establish a history of that, this might affect
> deliverability to some of the larger email providers.

Hrrrm. I wasn't aware that reputation systems are so advanced :)

You can pull last week's exim-src from CVS, it will have parallel
DKIM/Domainkeys support via the appropriate libraries. Now I know that
this is not a solution for everyone, but I think you are a special case
anyway :)

> For me, I'm still using DomainKeys because of all the fuss over the
> standardisation of signing-policy-in-DNS preventing a useful policy for
> DKIM from being published. Ie, _domainkey.spodhuis.org exists and when
> I last checked there wasn't an equivalent for DKIM;
> _adsp._domainkey.spodhuis.org looks like it would be the current
> mechanism, but who uses that?

Not sure. I don't :). I think it's more important that people start
signing first.

> Until there are signing policies in DNS for DKIM and those are used in
> practice, can DomainKeys be dropped?

I think it can. Sometimes it's better to give people a nudge in the
right direction. The new DKIM support is built by default. Basic logging
of signature status is also enabled by default. This will give DKIM much
more visibility, and hopefully more people will start signing as well.

/tom

--
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

peter at bowyer

Jun 13, 2009, 4:01 AM

Post #3 of 3 (774 views)
Permalink

Re: [exim-cvs] cvs commit: exim/exim-doc/doc-docbook spec.xfpt exim/exim-doc/doc-txt ChangeLog experimental-spec.txt [In reply to]

2009/6/13 Tom Kistner <tom [at] duncanthrax>:
> Phil Pennock wrote:
>
>> Does this mean that DomainKeys support disappears with 4.70?
>
> Yes.

-1 for that - although DK has had 'experimental' status, it's been
around for long enough to have a significant install base. Any way we
can avoid this? I take the point about DKIM being the future, but
since we haven't done a release of Exim in ages there may be some
other significant features in 4.70 worth upgrading for and the DK/DKIM
issue could be a blocker for many.

Peter

--
Peter Bowyer
Email: peter [at] bowyer
Follow me on Twitter: twitter.com/peeebeee

--
## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads