Is ed25519 well supported for the DKIM validation?

dkim gmail exim

Solution 1:

As of 2022-01, not a single big mail provider regularly verifies ed25519 signatures, though the reported result will not be consistent, I have seen in DMARC reports (along with pass for other signatures):

  • fail
  • permerror
  • temperror
  • neutral

Your configuration looks good to me, and should cause absolutely no issues using it supplementary to 2048-bit RSA signatures. I am sending one of each signature and that is also what everyone else adopting the new algorithm seems to be doing to test readiness for the transition.

All common software correctly parses the signature (so it can report the name) and ignores the signature algorithm it has yet to learn. I have still not received a single DMARC report from a public mail provider confirming any verified ed25519 signature.

My receiving experience continues to have more rsa-sha1 signatures (less useful nowadays, should long be succeeded by rsa-sha256) than ed25519-sha256 ones, but last year I saw the first EC ones from non-academic institutions, so adoption may finally be happening.

Related

Solaris 10 authentication in an AD world
Is Wine stable enough for production?
Open Source MS Word Password Recovery?
General GnuPG tips
"Workstation" and "Server" Services Keep Stopping
SQL Server: How do you check if it's safe to change the SA password?
HTTP compression in IIS 6.0 causing problems with certain users
Testing that SQL Server 2005 is listening for FreeTDS
VPN endpoint for my IPhone?
How do you force Outlook 2007 to re-index it's seach on Windows XP SP 3?
Cisco ASA5510 Bandwidth Shaping/Limiting
Restore Virtualbox snapshot from backup