Different ADSP values for DKIM keys with domains hosted at FastMail

Drencrom · 10 Nov 2014, 04:42 AM

Hi, everyone!

I own about 20 domains and I host my DNS with FastMail for all of them. However, in the "DKIM signing keys" section at the bottom of the "Virtual Domains" screen, some of them are listed as "Unknown" in the pull down menu of the Author Domain Signing Practices (ADSP) column on the right (those domains I added several years ago) and some as "All" (those I added recently, the last 4 domains only). I wonder why this difference exists for various domains, it seems to have no relation to either a registrar (some domains with the same registrar are shown as "Unknown", others as "All"), or whether I use a "catch all" alias, etc.

As I mentioned, the only difference seems to be chronological. Could anyone please explain to me why email for different domains with identical setup is signed differently?

n5bb · 10 Nov 2014, 10:04 AM

The ADSP box on the Virtual Domains screen is something you change yourself. So you need to apply the policy as you see fit, no matter what is currently set. As long as the Set column is active [*], the ADSP choice you make is applied after you click the Save Changes button. To test this:

Go to http://www.appmaildev.com/en/dkim/
Click Next Step
In the Fastmail web interface, send a test message from your domain to the address provided at the website I just mentioned.
You should quickly get a reply email. Look for DKIM result: pass, and the next section will show PublicKey: mesmtp._domainkey.yourdomain.xxx
The public key you see here should match that shown on the Virtual Domains screen for that domain.
Then go to https://www.unlocktheinbox.com/dnstools/a/ and enter your domain at the end of the first field, such as _adsp._domainkey.fastmail.fm, then look up the Authoritative (SOA) Server results. Be sure to examine the SPF/TXT record tab at the bottom after the page refreshes, and remember that there may be some caching delays if you make changes.
The results for fastmail.fm are dkim=unknown, since Fastmail doesn't want to block users who use their Fastmail address but send from other SMTP servers.
See http://en.wikipedia.org/wiki/Author_...ning_Practices for more details about the three ADSP choices (unknown, all, and discard).
- If you always use the Fastmail SMTP server to send messages from your domains, you should be able to use the discard signing practice. This policy instructs email systems that they are allowed by your domain to silently discard messages which contain an improper or no DKIM encryption signature. This is simply a directive from your domain records - there are few email systems which will discard such messages at this time.
- The all policy indicates that all messages sent from your domain are signed, so email systems might consider messages with a failed or missing DKIM encryption signature to be possible spam.

Bill

Drencrom · 10 Nov 2014, 05:05 PM

Thank you for such a detailed answer, Bill! All tests have been consistent.

It is also interesting to me how the ADSP choice is initially selected when you first host your DNS records with FM. I have access to a friend's account (he owns several domains, and asked me to set them all up, he doesn't mess with any settings), and I see the same picture - some of them are "All", some "Unknown" and it seems arbitrary. I wonder what affects the default ADSP choice for a particular domain.

randian · 11 Nov 2014, 07:07 PM

I have all of my domains set to "discard", since that is the strictest setting.

10 Nov 2014, 04:42 AM	#1
Drencrom Master of the @ Join Date: Nov 2002 Location: Ultima Thule Posts: 1,657	Different ADSP values for DKIM keys with domains hosted at FastMail Hi, everyone! I own about 20 domains and I host my DNS with FastMail for all of them. However, in the "DKIM signing keys" section at the bottom of the "Virtual Domains" screen, some of them are listed as "Unknown" in the pull down menu of the Author Domain Signing Practices (ADSP) column on the right (those domains I added several years ago) and some as "All" (those I added recently, the last 4 domains only). I wonder why this difference exists for various domains, it seems to have no relation to either a registrar (some domains with the same registrar are shown as "Unknown", others as "All"), or whether I use a "catch all" alias, etc. As I mentioned, the only difference seems to be chronological. Could anyone please explain to me why email for different domains with identical setup is signed differently?

10 Nov 2014, 10:04 AM	#2
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,929	DKIM ADSP choices The ADSP box on the Virtual Domains screen is something you change yourself. So you need to apply the policy as you see fit, no matter what is currently set. As long as the Set column is active [], the ADSP choice you make is applied after you click the Save Changes* button. To test this: Go to http://www.appmaildev.com/en/dkim/ Click Next Step In the Fastmail web interface, send a test message from your domain to the address provided at the website I just mentioned. You should quickly get a reply email. Look for DKIM result: pass, and the next section will show PublicKey: mesmtp._domainkey.yourdomain.xxx The public key you see here should match that shown on the Virtual Domains screen for that domain. Then go to https://www.unlocktheinbox.com/dnstools/a/ and enter your domain at the end of the first field, such as _adsp._domainkey.fastmail.fm, then look up the Authoritative (SOA) Server results. Be sure to examine the SPF/TXT record tab at the bottom after the page refreshes, and remember that there may be some caching delays if you make changes. The results for fastmail.fm are dkim=unknown, since Fastmail doesn't want to block users who use their Fastmail address but send from other SMTP servers. See http://en.wikipedia.org/wiki/Author_...ning_Practices for more details about the three ADSP choices (unknown, all, and discard). If you always use the Fastmail SMTP server to send messages from your domains, you should be able to use the discard signing practice. This policy instructs email systems that they are allowed by your domain to silently discard messages which contain an improper or no DKIM encryption signature. This is simply a directive from your domain records - there are few email systems which will discard such messages at this time. The all policy indicates that all messages sent from your domain are signed, so email systems might consider messages with a failed or missing DKIM encryption signature to be possible spam. Bill

10 Nov 2014, 05:05 PM	#3
Drencrom Master of the @ Join Date: Nov 2002 Location: Ultima Thule Posts: 1,657	Thank you for such a detailed answer, Bill! All tests have been consistent. It is also interesting to me how the ADSP choice is initially selected when you first host your DNS records with FM. I have access to a friend's account (he owns several domains, and asked me to set them all up, he doesn't mess with any settings), and I see the same picture - some of them are "All", some "Unknown" and it seems arbitrary. I wonder what affects the default ADSP choice for a particular domain.

11 Nov 2014, 07:07 PM	#4
randian Cornerstone of the Community Join Date: Jan 2014 Posts: 561	I have all of my domains set to "discard", since that is the strictest setting.