buherator
buherator
DKIM in particular is so insanely bad though that I'm contemplating joining BigTech in their crusade against e-mail.
2
0
2
- Learn that your keys won't fit into DNS records
- Learn that while you can split your key to multiple records, there is no guarantee the client will concat them in a particular order
- Learn that while you can fall back to shorter key sizes they may be insecure or require an algorithm that either your tool or the receivers doesn't support
While you test all this, you also have to consider caching of course.
Did I miss anything?
0
0
1
Boo$h33 
@buherator So far swiss provider protonmail, german providers Tutanota and mailbox.org appear to get this task done in a manner that passes due diligence every time I run it. Running my own mailserver and installing patches / checking logs on sunday mornings ? Thanks but no thanks.
1
0
0
buherator
buherator
0
0
1
cynicalsecurity 
cynicalsecurity@bsd.network
@buherator @stevelord also, if you use Spamhaus ZEN for dnsbl then remember to use a local caching resolver such as unbound as requests via open DNS like quad9 are rejected.
1
0
0
cynicalsecurity
cynicalsecurity@bsd.network
@buherator @stevelord if you want help, ask. My street creds are summarised by “running his own mail server since UUCP and other people’s on request.”
2
0
0
cynicalsecurity
cynicalsecurity@bsd.network
@buherator @stevelord Also, if you implement “BIMI”¹ so that your “brand indicator” appears next to email in certain webmail services then remember the image can be anything you want 
²
__
¹ https://en.wikipedia.org/wiki/Brand_Indicators_for_Message_Identification
² there are domains known to have goatse…
0
1
0
buherator
buheratorRe: BIMI I hope I can sit out the time it dies as it should...
0
1
3
cynicalsecurity
cynicalsecurity@bsd.network
@stevelord yes, isn't it sooo tempting? 
@buherator
1
0
1
cynicalsecurity
cynicalsecurity@bsd.network
@stevelord not that I might have BIMI enabled on several of my domains, nooo…. 😇 @buherator
0
0
0