Domain Keys Identified Mail (DKIM)

Note: this FAQ is current as of December 2009

General

  • What is DKIM?
    • Domain Keys Identified Mail is an email authentication standard. It uses a public/private encrypted key approach to authenticate the domain responsible for an email.
  • Is your signature validation compliant with the DKIM standard (RFC 4871)?
  • Are you signing outbound mail?
    • Not at this time. We have plans to implement signing of outbound mail in the future. Look for announcements on the Postmaster Blog.
  • Do you support other sender authentication mechanisms?
    • We do not currently authenticate inbound email by any other mechanism. We will continue to evaluate other authentication technologies and adopt any that prove beneficial.

Deliverability, Reputation, & Display

  • Are DKIM-authenticated messages displayed differently than unsigned messages in the AOL client or AOL webmail?
    • There is no difference in how DKIM authenticated messages are rendered.
  • How will DKIM affect sender reputation and deliverability?
    • DKIM will allow senders to keep their reputation across IPs.
  • What are the deliverability impacts of a failed signature validation?
    • In the case of a failed signature, the message will be treated as unsigned.
  • What are the deliverability impacts of only signing some of my mail?
    • Only the signed messages will contribute to and be affected by your domain's DKIM reputation.
  • What do you do with unsigned mail?
    • The treatment of unsigned mail will not change.

Whitelisting & FBL

  • How does DKIM change the whitelisting process?
    • IP whitelisting will remain unchanged by DKIM. We plan to implement additional domain based whitelisting in the future.
  • Will you change your feedback loop from IP based to Domain based?
    • As with whitelisting, we plan to offer domain based feedback loops as an additional option.
  • Will your feedback loop include DKIM validation results?
    • Yes. The authentication results are in the "X-AOL-SCOLL-AUTHENTICATION:" header:
                X-AOL-IP: 91.190.168.14
                X-AOL-SCOLL-AUTHENTICATION: mail_rly_antispam_dkim-m230.1 ; domain : gmail.com DKIM : pass
                X-Mailer: Unknown (No Version)
              

Technical

  • Should I change any of my MTA connection characteristics?
    • No, your MTA configuration can remain the same.
  • How frequently can a signer change their keys?
    • As often as your DNS entry's TTL allows you to. However, we do not recommend changing more than once every 24 hours.
  • What algorithm choices does AOL support?
    • We support RSA-SHA 1 and RSA-SHA 256

AOL Signature Validation

  • How will you handle messages with multiple signatures?
    • AOL currently will only validate one signature. In the case of multiple signatures we will attempt to validate the originator's signature first. We are evaluating data and industry use of multiple signatures and may modify how we handle multiple signatures in the future.
  • What does AOL consider to be a 3rd party signature?
    • Any signature where the d= is not the same as the RFC2822 FROM domain.
  • How are you using DKIM options like i=, d=, or z=?
    • We will use d= to establish the reputation of your domain.
  • What should the signer do to make AOL's use of the signature more helpful?
    • Use subdomains in d= to separate your mail into distinct classes.
Example: Your Bank (yourbank.com) sends marketing mail and transactional bank statements.
  • d=statements.yourbank.com
  • d=marketing.yourbank.com

Reporting

  • Can you generate reports for signers to verify their signatures are properly validating in your system?
    • We have no plans to implement this type of reporting.
  • Do you generate or plan to generate "Authentication-Results:" header fields as defined by draft-kucherawy-sender-auth-header?
    • Currently we produce a non-standard AOL authentication results header based on an early draft of the draft-kucherawy-sender-auth-header. We intend to use the standard header at some point in the future after it is approved.
  • If a message is refused due to signature validation failure, will it be clear that that is the reason?
    • Yes, the block code returned with the message will indicate if signature validation failure is the specific reason why the message was refused.

Author Domain Signing Practices (ADSP)

  • Can I have unsigned mail from my domain blocked?
    • We are currently exploring the best ways to support this in a scalable fashion.
  • Do you support the ADSP draft or plan to support ADSP once it's final?
    • We are supportive of the future use of ADSP and are investigating the implementation of ADSP once it becomes an approved standard.