DomainKeys and DKIM signing support

am.lists am.lists at
Sat Jun 16 02:19:31 IST 2007

On 6/10/07, Andrew MacLachlan <andy.mac at> wrote:
> The Postfix way of doing it is that PF signs outbound messages based on
> a rule (very similar to an MS rule) and doesn't check inbound messages -
> The recommendation is to let SA score the inbound message (i.e. DKIM OK,
> score = 0, DKIM fails score = 5) - the same as you should do for SPF.
> Because a message is signed, you shouldn't trust it, however if it
> fails, the don't trust it. (e.g. a yahoo message that isn't signed
> shouldn't be trusted, because all legit yahoo messages are - and the
> DKIM framework says so... - same goes for all other organisations that
> use DKIM like Dell.)
> -Andy

I realize this thread is a bit old now, but to bring up another point
about DKIM and signing, trusting a message purely based on DKIM pass
is a bad thing. Simultenously, failing a message purely based on a
DKIM fail is an equally bad thing. Reason: Different MTA plug-ins use
different methods for pulling the private key from DNS. Remember DNS
uses UDP (the "unreliable data protocol") and in my experience, I
occasionally (not always, but more than just sometimes) see "temp
fail" on a message that is signed and the key is there. The error in
the header just says "temp fail, couldn't retrieve key" -- and if I
recall correctly, the DKIM plugins for SA/MS do not tell you if it was
a temp fail or a flat our key did not decrypt successfully.

I think it's a great idea, but the technology framework seems to not
be perfectly fortified well enough to pass/fail solely based on it.
Bumping a point or two in SA score is valid, but I wouldn't say
pass=0, fail=5 just yet.


More information about the MailScanner mailing list