Rob McEwen wrote:
Benny,
All I know for sure is this - for MANY legit emails - DKIM fails some
days later
Hours.
I've recently learned about this, in the context of trying to
welcomelist legitimate senders. A 2-hour validity window for the DKIM
signature is pretty common. :(
- when it had originally worked/validated at the time the
message was sent. I see this often in the real world when I rescan a
message to try to verify the impact on a message that a spam filtering
change caused - then notice that a very legit email that original passed
DKIM at the time the message was received - now suddenly fails DKIM
during this days-later rescan - and without ANY changes to the message
itself. I think that this is most likely caused by DNS records for that
DKIM being changed/updated.
On most of those messages I expect it's an attribute set on the
signature, not a rotated DKIM record.
Look for "t=..." and "x=..." in the DKIM-Signature header. t= is the
timestamp when it was signed, x= is when it expires.
-kgd