Hi, thanks for finally providing this!
> Mails sent via this server will be DKIM-signed if the from is a > debian.org, debconf.org or ftp-master.debian.org address. If any > additional domain should be considered, feel free to ask. I just wanted to make you aware of something interesting I learnt recently: In DKIM (and probably other signing systems), doing a regular key rollover is a good idea. That is not so new. What was new to me is the idea of publishing the old secret keys when rotating: https://blog.cryptographyengineering.com/2020/11/16/ok-google-please-publish-your-dkim-secret-keys/ tl;dr: DKIM-signed mail is verifiable, but only the headers; the body can be tampered with; it is only designed to provide authenticity in the one second the mail is received; malicious people could steal e-mail archives and abuse modified (or even original) mails against senders, even using them in court maybe; publishing the old keys restores deniability because "everyone could have signed that mail because the keys are public" Cheers, Nik
