5

I used this utility to create my DKIM key (1024 bit size), since Gmail has been blocking us (we had an old joomla install exploited, was around before me). And I got this back:

Your Selector Record:
default._domainkey.example.com IN TXT

"k=rsa;p=REALLYLONGSTRINGXXXXXXX"

Your Policy Record:
_domainkey.example.com IN TXT "o=~"

However, the DomainKey that MediaTemple's Plesk gave me had o=-, so I used that for the policy record instead.

Is that OK?

I tested with this and also tried to test with some DKIM email testers, but have not gotten an email back from any of them.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
hardbizkit
  • 51
  • 1
  • 2
  • 1
    FYI, 1024 bit keys are exploitable, and for that reason, Google recently upped their key strength to 2048 bit. (And they're not alone.) If you have the option, I would use a 2048 bit key, so you don't have to do this again anytime soon. – HopelessN00b Jan 21 '14 at 23:44
  • Google's guildelines at https://support.google.com/mail/answer/81126 haven't been updated with that information. My host wont let me put in more than 255 characters for a record – hardbizkit Jan 22 '14 at 21:06

1 Answers1

8

The o= tag at the _domainkey root is mentioned in this DKIM specification draft as an optional mechanism to indicate your outbound signing policy.

o=~ means "some, but not all mails from this domain are signed"
o=- means "all mails from this domain are signed (though not necessarily by me)"

Much akin to (though not to be confused with) the Fail and SoftFail qualifiers used in SPF.

Remember that this is your signing policy, you are the one to decide which policy indicator best meets your needs

Community
  • 1
Mathias R. Jessen
  • 24,907
  • 4
  • 62
  • 95