3 files changed, 14 insertions, 8 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 99ad7d1a5..9fd526b08 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -176,6 +176,9 @@ JH/38 Fix $dkim_key_length.  This should, after a DKIM verification, present
       the size of the signing public-key.  Previously it was instead giving
       the size of the signature hash.
 
+JH/39 DKIM verification: the RFC 8301 restriction on sizes of RSA keys is now
+      the default.  See the (new) dkim_verify_min_keysizes option.
+
 
 Exim version 4.93
 -----------------
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 4ae49c2fa..b79802103 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -36,29 +36,31 @@ Version 4.94
  9. The ACL control "queue_only" can also be spelled "queue", and now takes an
     option "first_pass_route" to do the same as a "-odqs" on the command line.
 
- 9. Items specified for the router and transport headers_remove option can use
+10. Items specified for the router and transport headers_remove option can use
     a trailing asterisk to specify globbing.
 
-10. New $queue_size variable.
+11. New $queue_size variable.
 
-11. New variables $local_part_{pre,suf}fix_v.
+12. New variables $local_part_{pre,suf}fix_v.
 
-12. New main option "sqlite_dbfile", for use in preference to prefixing the
+13. New main option "sqlite_dbfile", for use in preference to prefixing the
     lookup string.  The older method fails when tainted variables are used
     in the lookup, as the filename becomes tainted.  The new method keeps the
     filename separate.
 
-13. Options on the dsearch lookup, to return the full path and to filter
+14. Options on the dsearch lookup, to return the full path and to filter
     filetypes for matching.
 
-14. Options on pgsql and mysql lookups, to specify server separate from the
+15. Options on pgsql and mysql lookups, to specify server separate from the
     lookup string.
 
-15. Expansion item ${listquote {<char} {<item>}}.
+16. Expansion item ${listquote {<char} {<item>}}.
 
-16. An option for the ${readsocket {}{}{}} expansion to make the result data
+17. An option for the ${readsocket {}{}{}} expansion to make the result data
     cacheable.
 
+18. dkim_verify_min_keysizes, a list of minimum acceptable public-key sizes.
+
 
 
 Version 4.93
diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt
index bb5a32091..ce0c901a9 100644
--- a/doc/doc-txt/OptionLists.txt
+++ b/doc/doc-txt/OptionLists.txt
@@ -176,6 +176,7 @@ dkim_strict                          string*         unset         smtp
 dkim_timestamps                      integer*        unset         smtp              4.92
 dkim_verify_hashes                   string          sha256:sha512:sha1 main         4.93
 dkim_verify_keytypes                 string          ed25519:rsa        main         4.93
+dkim_verify_min_keysizes             string list     "rsa=1024 ed25519=250"  main    4.94
 dkim_verify_minimal                  boolean         false              main         4.93
 dkim_verify_signers                  string*         $dkim_signers main              4.70
 directory                            string*         unset         appendfile