On Fri, 10 May 2024 10:47:43 +0100,
Stuart Henderson <stu@spacehopper.org> wrote:
> 
> On 2024/05/10 11:40, Matthieu Herrb wrote:
> > 
> > Afaict dkimpproxy is not using opendkim but p5-Mail-DKIM. dkimproxy
> > itself also hasn't seen a update since many years, but the underlying
> > perl lib has been last updated last january (and could use an update
> > in the port).
> > 
> > So unless you imply that because many people use opendkim, ed25519
> > based signatures shouldn't be used at all I'm not sure I understand
> > what you're saying.
> 
> ed25519 can be used, but at the moment if you do use it, you probably
> want to be double-signing with both that + rsa-sha256.
> 

I imply that using ed25519 usually leads to malformed signature, and some
big hosting providers treat double signature as bad signature if some of
them are not RSA-SHA256. A notable example is icloud.com, which delivers all
emails with double signatures to the junk folder. At least that's what they
did the last time I checked in December'23.

So I suggest to put in README and config exmaple that using anything other
than RSA-SHA256 may lead to delivery email to thte junk. Unfortunately, this
includes duble signatures as well.

-- 
wbr, Kirill