techblog 

This is a follow up to my previous article, DomainKeys signing for nominet.org.uk e-mails… not just yet, which I wrote a month ago. Since then all I did was reading RFC4871 forsaking all my other duties, losing sleep and appetite.
After this I came up with the following findings:

• DomainKeys (rfc4870) is an obsolete standard for signing messages but still widely used (compared to DKIM)
• DKIM (rfc4871) is a current standard for signing messages
• DomainKeys defines signing policies but is vague about policies for subdomains
• DKIM doesn’t define policies. Policies, or rather Author Signing Practices(Sender Signing Practices), are separated from DKIM into a different standard which is still a draft and quite frequently revised: draft-ietf-dkim-ssp-03.txt
• If policies (practices) are not explicitly defined, Verifiers in both DomainKeys and DKIM assume that a Signing domain MAY sign messages and Verifiers should treat unsigned messages as if the domain supports neither DomainKeys nor DKIM.

After considering all this I came up with the following plan for rolling out of e-mails signing:

• Upgrade our mail servers to a version which supports both DomainKeys and DKIM signing
• Create DKIM and DomainKeys signing profiles on our mail servers
• Publish DKIM and DomainKeys selectors with public keys in nominet.org.uk zone
• Publish neither DomainKeys policies nor DKIM Author Signing Practices in nominet.org.uk zone effectively telling to Verifiers that Nominet messages MAY be signed
• Work out a correct Author Signing Practices (or whatever it’ll be called by that time) when it becomes a standard.

Having the plan I just followed it and as of today all outgoing @nominet.org.uk messages are signed both with DKIM and DomainKeys (subdomains originated messages, e.g. @lists.nominet.org.uk are not at the moment). One note though: for now we decided to publish the selectors with a “test mode” flag set but I think it’ll be removed very soon.

My appetite is back until I need to read another RFC.