DomainKeys and DKIM signing support

Andrew MacLachlan andy.mac at
Sun Jun 17 18:45:13 IST 2007

On 16/06/07, am.lists <am.lists at> wrote:
> On 6/10/07, Andrew MacLachlan <andy.mac at> wrote:
> > The Postfix way of doing it is that PF signs outbound messages based
> > a rule (very similar to an MS rule) and doesn't check inbound
messages -
> > The recommendation is to let SA score the inbound message (i.e. DKIM
> > score = 0, DKIM fails score = 5) - the same as you should do for
> > Because a message is signed, you shouldn't trust it, however if it
> > fails, the don't trust it. (e.g. a yahoo message that isn't signed
> > shouldn't be trusted, because all legit yahoo messages are - and the
> > DKIM framework says so... - same goes for all other organisations
> > use DKIM like Dell.)
> >
> > -Andy
> >
> I realize this thread is a bit old now, but to bring up another point
> about DKIM and signing, trusting a message purely based on DKIM pass
> is a bad thing. Simultenously, failing a message purely based on a
> DKIM fail is an equally bad thing. Reason: Different MTA plug-ins use
> different methods for pulling the private key from DNS. Remember DNS
> uses UDP (the "unreliable data protocol") and in my experience, I

Even though I think you are essintially correct.... It's "user
datagram protocol:-)

> occasionally (not always, but more than just sometimes) see "temp
> fail" on a message that is signed and the key is there. The error in
> the header just says "temp fail, couldn't retrieve key" -- and if I
> recall correctly, the DKIM plugins for SA/MS do not tell you if it was
> a temp fail or a flat our key did not decrypt successfully.
> I think it's a great idea, but the technology framework seems to not
> be perfectly fortified well enough to pass/fail solely based on it.
> Bumping a point or two in SA score is valid, but I wouldn't say
> pass=0, fail=5 just yet.

andy.mac> OK - 5 is a little extreme, but the most important bit was
pass=0 - currently softfails generate 1.8 or so.

> Angelo

-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
MailScanner mailing list
mailscanner at

Before posting, read

Support MailScanner development - buy the book off the website! 

This message was scanned by ESVA and is believed to be clean.
Click here to report this message as spam.

This message was scanned by ESVA and is believed to be clean.

More information about the MailScanner mailing list