DomainKeys and DKIM signing support
Andrew MacLachlan
andy.mac at global-domination.org
Sun Jun 10 10:54:40 IST 2007
The Postfix way of doing it is that PF signs outbound messages based on
a rule (very similar to an MS rule) and doesn't check inbound messages -
The recommendation is to let SA score the inbound message (i.e. DKIM OK,
score = 0, DKIM fails score = 5) - the same as you should do for SPF.
Because a message is signed, you shouldn't trust it, however if it
fails, the don't trust it. (e.g. a yahoo message that isn't signed
shouldn't be trusted, because all legit yahoo messages are - and the
DKIM framework says so... - same goes for all other organisations that
use DKIM like Dell.)
-Andy
-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Kevin
Hansard
Sent: 08 June 2007 10:17
To: MailScanner discussion
Subject: RE: DomainKeys and DKIM signing support
> Not yet, no; but it could be.
> Have you got a nice simple short and sweet document describing DKIM,
how
> it works, what it protects against and why it will stop all spam :-)
Well I am fairly certain it isn't going to stop all spam! Really it is
just another step along the way. It will make it harder to spoof email
addresses in both spam and virus messages. However it won't help that
much when the spammers use botnets.
The FAQ is here http://www.dkim.org/info/dkim-faq.html.
For the full DKIM spec see
http://www.ietf.org/rfc/rfc4871.txt?number=4871.
> Assuming it's based on some checksum/hash function, what text of the
> message does it use as its input?
> Can you make it just operate on the body and not the headers at all?
The whole message is required including the headers. I would expect that
following all the header and body processing that you already do, but
before you finally unlock the message for delivery you would pass the
whole message into Mail::DKIM and this would return a new DKIM-Signature
header that would need to be added into the message.
> Am I just trying to add DKIM to a message, or do you need me to check
it
> as well?
I think MailScanner probably only needs to be responsible for signing
messages. Verifying the signatures can already be done by the receiving
daemon or by spamassassin.
--
Kevin Hansard
www.ipl.com
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
This message was scanned by ESVA and is believed to be clean.
Click here to report this message as spam.
http://mail-gw.global-domination.org/cgi-bin/learn-msg.cgi?id=CB8CE27F9D
.689F7
--
This message was scanned by ESVA and is believed to be clean.
More information about the MailScanner
mailing list