DKIM verification on large messages is broken in SA by MS truncation

Glenn Steen glenn.steen at
Thu Dec 23 23:57:31 GMT 2010

There is the oossibility that Jules could make it si that if there is a dkim
sig, the truncation wouldn't happen... So you could do botgh, sort of.
But for now, just set the trubcation higher than your mta size limit, or
whatever way you'd like, to disabke it.

Cheers&merry xmas

Den 24 dec 2010 00.47, "Adam Bernstein" <adam at> skrev:

I'm reporting a problem we just ran into while getting up to speed on DKIM,
as it looks a lot like a bug but actually indicates a fundamental limitation
to our MS/SA/DKIM configuration that might impact others.  I don't think
there's anything for MS to do about it, but I have a fantasy that there's
something I'm missing....


Mailscanner has the "Max SpamAssassin Size" parameter, to truncate messages
before handing them off to SA.  It defaults to 90KB (we have it set much
smaller, but this changes only the extent of the effects, not the basic
problem).  But if you want to take advantage of DKIM verification to
contribute to the spam score, then it's SA that calls on Mail::DKIM to
evaluate the signature.  And if it's a large message, it's been truncated by
MS before handing off to SA, so it no longer matches the signature.  So even
with a valid signature, DKIM verification fails for large messages.


The solution?  Well, all I can imagine is either:
  1. don't truncate at all in Mailscanner, because after all, DKIM is
designed to disapprove of message modification
  2. do the DKIM verification separately, before the message gets submitted
to MS at all, via the milter or proxy tools

But #2 is a great deal more work than just enabling the DKIM plugin in SA,
right?  So that leaves us with #1.  I guess if we were running just bare SA
with no MS, truncation wouldn't even be an option and we would always scan
the full message, so this isn't really a loss.  But it would sure be nice to
take advantage of the MS layer to reduce unnecessary cycles.

I think what's really needed is a "Max Scan Bytes" setting in SA, so it can
impose the limit on all its other tests while internally exempting DKIM
verification, but I don't see that happening.

Have I missed anything?  Or is this just a basic feature of our setup that
we'll have to accept?

Thanks much!

MailScanner mailing list
mailscanner at

Before posting, read

Support MailScanner development - buy the book off the website!
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the MailScanner mailing list