Sep 22, 2020
DomainKey Policy Tester
DomainKey Policy Tester
There are basically two types of DNS records used by DomainKeys; policy records and public key records:
1) Policy records:
A domain name using DomainKeys should have a single policy record configured.
This is a DNS TXT-record with the name "_domainkey" prefixed to the domain name - for example "_domainkey.domainname.com".
The data of this TXT-record contains the policy which is basically either "o=-" or "o=~".
"o=-" means "all e-mails from this domain are signed", and "o=~" means "some e-mails from this domain are signed".
Additional fields for test (t), responsible e-mail address (r), and notes (n) may also be included - for example "o=-; n=some notes".
Receiving e-mail servers check this policy record to find out to what extent the sender domain name uses DomainKeys (if there is no such record, the domain does not use DomainKeys).
Based on this, the receiving e-mail server might reject or flag un-signed messages from this domain name.
2) Public key records:
An e-mail message signed with DomainKeys will include a header item "DomainKey-Signature" containing the cryptographic signature and a few other fields including a "selector" (s=) and a few other tags including:
The current valid tags are:
granularity of the key. If present with a non-zero length value, this value MUST exactly match the local part of the sending address. This tag is optional.
The intent of this tag is to constrain which sending address can legitimately use this selector. An email with a sending
address that does not match the value of this tag constitutes a failed verification.
key type (rsa is the default). Signers and verifiers MUST support the 'rsa' key type.
Notes that may be of interest to a human. No interpretation is made by any program. This tag is optional.
public-key data, encoded as a Base64 string. An empty value means that this public-key has been revoked. This tag MUST be present.
testing mode ('y' means that this domain is testing DomainKeys and unverified email MUST NOT be treated differently from verified email. Recipient systems MAY wish to track testing mode results to assist the sender.) This tag is optional.
A reporting email address. If present, this defines the email address where invalid verification results are reported. This tag is primarily intended for early implementors - the content and frequency of the reports will be defined in a separate document.
For the receiving e-mail server to verify this signature, it must first obtain the public key for the selector value.
This is stored in a DNS TXT-record. In other words, the name of this TXT-record is the selector (s=...) + ._domainkey. + the domain name. The data of this TXT-record is in the format "k=rsa; p=MHww..." where value after p= is the public key. Additional fields for granularity (g), test (t), and notes (n) may also be included.
Nov 30, 2005 11:15 AM
This answer was helpful
This answer was not helpful
-- Entire Support Site --
Add to Favorites
Submit a Ticket