Allow import of DKIM-keys (with a warning that it is not from DNS)

[JustMyGithub]

Providers may change the selector and remove the old selectors public key from DNS, a few years ago I noticed that for gmail. It would be nice it it was possible to import keys to DKIM verifier in such a case, but there should be a warning that it was provided by the user. (Yes, I am aware that DNS can be faked as well, but that is not as easy as importing a key.)

btw: It would also be nice to have a trustworthy archive for (retired) DKIM keys, but that another thing.

[dodmi]

DKIM verifier already has a feature to save DKIM public keys.

I don't know, how it's looking in the current branch, this is from the old 2.x branch. I doubt, that it was removed:

Where would you get the key to import, when it's already removed from DNS? I guess, DKIM verifier does already everything you request.

The only thing, which could be changed, is the way, the case is handled, when the public key for a selector is changed. As there's only one key per selector in the cache, you need to update the DKIM key to verify new mails. Verification for any old mail will fail afterwards and the old key is lost.

[JustMyGithub]

I think your screenshot shows settings for caching, not for importing. It is an internal storage of the key within Thunderbird, not the user (or an import file) providing information.

Where would you get the key to import, when it's already removed from DNS? I guess, DKIM verifier does already everything you request.

You may find it on a some website or research paper for example. That indeed did happen, it is not as unlikely as it may seem at first glance.

Furthermore it could be obtained from an old instance of DKIM verifier that has this key cached.

[dodmi]

Yes, the dialog is for (permanent) caching, not for importing. But for your personal e-mails, the key would be in the cache. So, verification will work after it's removed from DNS if you configure caching. And, this is also your personal trustworthy archive.

What's not working is the case, that a key is replaced in DNS with the same selector.

[lieser]

The caching feature dodmi mentioned can be I think uses as a workaround for most of what you want.

1. Enable caching of DKIM keys,
2. View a DKIM signed message to cache at least one key.
3. Edit one of the existing cached keys to the one you want to import.

Yes not a nice workflow. But I successfully use it for e.g. importing the DKIM key for the example inside the RFC.

A way to directly add a new key to the cached ones would be of course better, but I currently don't see enough use for most users for it to have a high priority for me.

but there should be a warning that it was provided by the user.

What is your use case for wanting such a warning? I currently don't see a use case for wanting to long term import a not trusted key. So even if importing would come, it would probably be handled like all other cached keys.

[lieser]

A note about adding a warning for imported keys. It is already possible to get a warning for it by marking the key as being in testing mode (i.e. adding ; t=y), and enabling verification of domains in testing mode in the advanced options.