From 7d359e3ff5d886deccea6f704fcd2145f92c10c4 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Mon, 1 Dec 2025 23:12:18 +0100
Subject: [PATCH] Warn about ED25519 DKIM usage

There currently seems to be mixed support out there and we need to
support dual-signing first before we can recommend rolling out ED25519
DKIM keys.
---
 default.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/default.nix b/default.nix
index 2f681d4..571abf7 100644
--- a/default.nix
+++ b/default.nix
@@ -999,6 +999,11 @@ in
       description = ''
         The key type used for generating DKIM keys. ED25519 was introduced in RFC6376 (2018).
 
+        :::{warning}
+        ED25519 DKIM keys are currently not recommended for primary use, as
+        various DKIM validators out there lack support and consider the keypair invalid.
+        :::
+
         If you have already deployed a key with a different type than specified
         here, then you should use a different selector ({option}`mailserver.dkimSelector`). In order to get
         this package to generate a key with the new type, you will either have to