DomainKeys and DKIM signing support

Andrew MacLachlan andy.mac at global-domination.org
Sun Jun 17 18:45:13 IST 2007


On 16/06/07, am.lists <am.lists at gmail.com> wrote:
> On 6/10/07, Andrew MacLachlan <andy.mac at global-domination.org> wrote:
> > The Postfix way of doing it is that PF signs outbound messages based
on
> > a rule (very similar to an MS rule) and doesn't check inbound
messages -
> > The recommendation is to let SA score the inbound message (i.e. DKIM
OK,
> > score = 0, DKIM fails score = 5) - the same as you should do for
SPF.
> > Because a message is signed, you shouldn't trust it, however if it
> > fails, the don't trust it. (e.g. a yahoo message that isn't signed
> > shouldn't be trusted, because all legit yahoo messages are - and the
> > DKIM framework says so... - same goes for all other organisations
that
> > use DKIM like Dell.)
> >
> > -Andy
> >
>
>
> I realize this thread is a bit old now, but to bring up another point
> about DKIM and signing, trusting a message purely based on DKIM pass
> is a bad thing. Simultenously, failing a message purely based on a
> DKIM fail is an equally bad thing. Reason: Different MTA plug-ins use
> different methods for pulling the private key from DNS. Remember DNS
> uses UDP (the "unreliable data protocol") and in my experience, I

Even though I think you are essintially correct.... It's "user
datagram protocol:-)

> occasionally (not always, but more than just sometimes) see "temp
> fail" on a message that is signed and the key is there. The error in
> the header just says "temp fail, couldn't retrieve key" -- and if I
> recall correctly, the DKIM plugins for SA/MS do not tell you if it was
> a temp fail or a flat our key did not decrypt successfully.
>
> I think it's a great idea, but the technology framework seems to not
> be perfectly fortified well enough to pass/fail solely based on it.
> Bumping a point or two in SA score is valid, but I wouldn't say
> pass=0, fail=5 just yet.

andy.mac> OK - 5 is a little extreme, but the most important bit was
pass=0 - currently softfails generate 1.8 or so.

> Angelo

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

--
This message was scanned by ESVA and is believed to be clean.
Click here to report this message as spam. 
http://mail-gw.global-domination.org/cgi-bin/learn-msg.cgi?id=64BEB27FE2
.3D5F7





--
This message was scanned by ESVA and is believed to be clean.



More information about the MailScanner mailing list