Other Information
 - News
- Documentation
 - SourceForge Project Info
- DomainKeys Implementors mailing list
- DomainKeys Message Board


MTAs using DomainKeys
- Sendmail DomainKey Milter
- Qmail
- MS Exchange 2003
- qpsmtpd
 - Port 25's PowerMTA
- Etype.net's acSMTP
- ActivSoftware's XMServer
- OmniTI Ecelerity
- StrongMail
- DRCC no.Spam.java
- Exim 4.51
- Alt-N Technologies MDaemon MTA
- Postfix
- BorderWare MXtreme
- Communigate Pro
- IronPort
- Merak Mail
- L-Soft Listserv
- Mailtraq
- SocketLabs Hurricane MTA Server

SourceForge Logo

Underscores in DNS Last Updated: April 10, 2006

  There is a bit of industry confusion surrounding the ability to use underscores ("_") in DNS "subdomain" entries (DNS labels), which is specified by DomainKeys. There have been several reports of DNS hosters refusing to publish DomainKey records because the selectors are published under the "_domainkey" label. Typically, the provider notes that underscores are prohibited from use in DNS.

Underscores allowed, except in host names

Host names are not allowed to have underscores in them. In DNS, host names are the name fields of A or MX records or the data fields of the SOA and NS records. Thus, there are many DNS entries that are not hostnames.

RFC 2872 is a perfect counter to the myth that "_" is non-standard. The RFC is a standards track RFC, and describes SRV records. One of the authors is Paul Vixie, the original programmer of BIND.

The RFC contains this paragraph:

The symbolic name of the desired protocol, with an underscore (_) prepended to prevent collisions with DNS labels that occur in nature. _TCP and _UDP are at present the most useful values for this field, though any name defined by Assigned Numbers or locally may be used (as for Service). The Proto is case insensitive.

and this example:

_foobar._tcp SRV 0 1 9 old-slow-box.example.com.

Thus, the "_" is purposedly used to disambiguate hosts from other attributes in the DNS. In fact that's the very reason that the "_" prefix was chosen to differentiate selectors and to avoid collisions with existing namespace.

Similarly, O'Reilly's DNS and Bind states in Chapter 4, section 5, 'Names that are not host names can consist of any printable ASCII character.'

Examples of underscores in RFCs and in use

Several well known Internet and technology companies have DNS records that use the underscore:

$ dig _domainkey.yahoo.com TXT
_domainkey.yahoo.com. 2H IN TXT "t=y; o=~; n=http://antispam.yahoo.com/domainkeys"

$ dig beta._domainkey.google.com TXT
beta._domainkey.google.com. 1D IN TXT "g=; k=rsa; t=y; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMs93oc95ObA7OEQEbqjIy6YvRj1u3yVGTzQ3wkwRQTWx1fhvNQenPNFklaL+Tw9XFYUc3f8eY0hs3WUNQ+t+I0CAwEAAQ=="

$ dig _domainkey.ebay.com TXT
_domainkey.ebay.com. 1H IN TXT "t=y; o=~; n=http://pages.ebay.com/securitycenter"

$ dig _spf-a.microsoft.com TXT
_spf-a.microsoft.com. 1H IN TXT "v=spf1 ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: a:delivery.pens.microsoft.com a:mh.microsoft.m0.net mx:microsoft.com ~all"

$ dig _domainkey.cern.ch TXT
_domainkey.cern.ch. 3H IN TXT "t=y; o=~; n=CERN DomainKeys, see http://www.cern.ch/mmms/AntiSpam; r=CERN.DomainKeys@cern.ch"

$ dig _domainkey.sendmail.com TXT
_domainkey.sendmail.com. 300 IN TXT "t=y\; o=~"

$ dig _domainkey.earthlink.com TXT
_domainkey.sendmail.com. 1800 IN TXT "t=y\; o=~"

  Underscores are allowed in certain DNS entries. In fact, they are specified to be used in a DNS RFC, written by a DNS guru. They are used in DNS labels by major Internet and technology companies.

Copyright © 1994-2006 Yahoo! Inc. All rights reserved.