If your domain’s email is setup with GSuite, a very convenient, free, and simple WKD service is available with the new
keys.openpgp.org keyserver and there’s little reason not to have it active on your domain to help it gain traction.
Simply set a record for your domain’s DNS named
openpgpkey that CNAME’s to
For example, I have the email address
email@example.com, and a client can discover my PGP key automatically with a command like
❯ gpg --locate-keys --auto-key-locate wkd firstname.lastname@example.org
With this domain, you can verify that WKD is properly setup with the command
❯ dig -t CNAME openpgpkey.theunhatched.com ... ... ... ;; ANSWER SECTION: openpgpkey.theunhatched.com. 600 IN CNAME wkd.keys.openpgp.org. ... ... ...
This is an improvement over DNS-based DANE bindings for OpenPGP because it doesn’t require each user to have their own DNS record. That might work for personal domains, but this scales for servers where you host email for users that maybe they shouldn’t have access to edit your DNS tables.