When creating DomainKeys does it matter if I use o=~ or o=-?
I used this utility to create my DKIM key (1024 bit size), since Gmail has been blocking us (we had an old joomla install exploited, was around before me). And I got this back:
Your Selector Record:
default._domainkey.example.com IN TXT
"k=rsa;p=REALLYLONGSTRINGXXXXXXX"
Your Policy Record:
_domainkey.example.com IN TXT "o=~"
However, the DomainKey that MediaTemple's Plesk gave me had o=-
, so I used that for the policy record instead.
Is that OK?
I tested with this and also tried to test with some DKIM email testers, but have not gotten an email back from any of them.
The o=
tag at the _domainkey root is mentioned in this DKIM specification draft as an optional mechanism to indicate your outbound signing policy.
o=~
means "some, but not all mails from this domain are signed"o=-
means "all mails from this domain are signed (though not necessarily by me)"
Much akin to (though not to be confused with) the Fail and SoftFail qualifiers used in SPF.
Remember that this is your signing policy, you are the one to decide which policy indicator best meets your needs