DomainKeys and DKIM signing support

[Glenn Steen]

On 16/06/07, am.lists <am.lists at gmail.com> wrote:
> On 6/10/07, Andrew MacLachlan <andy.mac at global-domination.org> wrote:
> > The Postfix way of doing it is that PF signs outbound messages based on
> > a rule (very similar to an MS rule) and doesn't check inbound messages -
> > The recommendation is to let SA score the inbound message (i.e. DKIM OK,
> > score = 0, DKIM fails score = 5) - the same as you should do for SPF.
> > Because a message is signed, you shouldn't trust it, however if it
> > fails, the don't trust it. (e.g. a yahoo message that isn't signed
> > shouldn't be trusted, because all legit yahoo messages are - and the
> > DKIM framework says so... - same goes for all other organisations that
> > use DKIM like Dell.)
> >
> > -Andy
> >
>
>
> I realize this thread is a bit old now, but to bring up another point
> about DKIM and signing, trusting a message purely based on DKIM pass
> is a bad thing. Simultenously, failing a message purely based on a
> DKIM fail is an equally bad thing. Reason: Different MTA plug-ins use
> different methods for pulling the private key from DNS. Remember DNS
> uses UDP (the "unreliable data protocol") and in my experience, I

Even though I think you are essintially correct.... It's "user
datagram protocol:-)

> occasionally (not always, but more than just sometimes) see "temp
> fail" on a message that is signed and the key is there. The error in
> the header just says "temp fail, couldn't retrieve key" -- and if I
> recall correctly, the DKIM plugins for SA/MS do not tell you if it was
> a temp fail or a flat our key did not decrypt successfully.
>
> I think it's a great idea, but the technology framework seems to not
> be perfectly fortified well enough to pass/fail solely based on it.
> Bumping a point or two in SA score is valid, but I wouldn't say
> pass=0, fail=5 just yet.
>
> Angelo

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se