DKIM verification on large messages is broken in SA by MS truncation

Peter Ong at
Thu Dec 23 23:51:51 GMT 2010

I'm using dkimproxy on the postfix mta that handles the MailScanner tasks. My Zimbra, Exchange in your case, sits behind it completely. All outgoing email are signed.

Not talking about this domain; my personal one.


----- Original Message -----

> From: "Adam Bernstein" <adam at>
> To: mailscanner at
> Sent: Thursday, December 23, 2010 3:41:36 PM
> Subject: DKIM verification on large messages is broken in SA by MS truncation
> I'm reporting a problem we just ran into while getting up to speed on
> DKIM, 
> as it looks a lot like a bug but actually indicates a fundamental 
> limitation to our MS/SA/DKIM configuration that might impact others. 
> I 
> don't think there's anything for MS to do about it, but I have a
> fantasy 
> that there's something I'm missing....
> Mailscanner has the "Max SpamAssassin Size" parameter, to truncate
> messages 
> before handing them off to SA.  It defaults to 90KB (we have it set
> much 
> smaller, but this changes only the extent of the effects, not the
> basic 
> problem).  But if you want to take advantage of DKIM verification to 
> contribute to the spam score, then it's SA that calls on Mail::DKIM to
> evaluate the signature.  And if it's a large message, it's been
> truncated 
> by MS before handing off to SA, so it no longer matches the signature.
>  So 
> even with a valid signature, DKIM verification fails for large
> messages.
> --------------------
> The solution?  Well, all I can imagine is either:
>     1. don't truncate at all in Mailscanner, because after all, DKIM
> is 
> designed to disapprove of message modification
> or
>     2. do the DKIM verification separately, before the message gets 
> submitted to MS at all, via the milter or proxy tools
> But #2 is a great deal more work than just enabling the DKIM plugin in
> SA, 
> right?  So that leaves us with #1.  I guess if we were running just
> bare SA 
> with no MS, truncation wouldn't even be an option and we would always
> scan 
> the full message, so this isn't really a loss.  But it would sure be
> nice 
> to take advantage of the MS layer to reduce unnecessary cycles.
> I think what's really needed is a "Max Scan Bytes" setting in SA, so
> it can 
> impose the limit on all its other tests while internally exempting
> verification, but I don't see that happening.
> Have I missed anything?  Or is this just a basic feature of our setup
> that 
> we'll have to accept?
> Thanks much!
>        adam
> -- 
> MailScanner mailing list
> mailscanner at
> Before posting, read
> Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list