Wow, this is complex. I think I just stick to fastmail for now.
To what extent will automating this increase the ability of spammers to use it, thereby weakening it as a reputation indicator?
I’ve run my own mail server since 1995 and will keep doing so until it’s unfeasible (I hope that day never comes). I was pleased to see that I’m not too far off this rather useful list - I’ve already implemented everything on thr “deliverability” list but #7 and #8 (I’m dragging my feet with #8 in particular as DNSSEC does require a bit of work for key rotation, etc).
For those wondering, I don’t have any issues with mail delivery. After a server migration in 2018 I did have a few issues with Outlook.com but those have since been resolved after providing mail server details to Microsoft (a bit annoying that these mysterious “registrations” are not well documented but such is the way of the modern Internet).
Isn’t key rotation automatic in every modern NS? I’ve never had to manually rotate
Good question and you could well be right. I last looked into configuring it with BIND a few years ago and ISTR there being some configuration required to manage the key rotation process, but perhaps I’m misremembering.
Yeah, BIND, NSD, Knot, etc all do automatic key rotation now. Very simple to setup. I’m not a DNSSEC proponent and gave up on it years ago, but it should be automatic now. (DNSSEC is really only useful for mail it seems, and I don’t self-host. Useless in general as the majority of clients aren’t recursing and validating by themselves. e.g., your smartphone)