dkim and Mailscanner

Mark Sapiro mark at
Thu Dec 3 22:39:27 UTC 2015

On 12/03/2015 01:24 PM, Maarten wrote:
> Hello,
> I'm having a problem getting dkim to work together with mailscanner. I
> noticed some comments about dkim in the comments so I took the advice of
> the comments.
> Multiple Headers = add
> Place New Headers At Top Of Message = yes
> Each time I got the following error:
> dkim=neutral (body hash did not verify)
> I thought I'd try doing a test by taking out mailscanner, only using postfix, and now I'm getting:
> dkim=pass

Are you looking at incoming mail or outgoing mail? I DKIM sign outgoing
mail and I have

Multiple Headers = add

and Place New Headers At Top Of Message is a ruleset which is Yes for a
small number if incoming messages and No for everything else.

I just sent a message addressed to both Yahoo and Gmail addresses. It
had my MailScanner headers added at the bottom as expected

Yahoo said

Received-SPF: pass (domain of designates as
permitted sender)


domainkeys=neutral (no sig);; dkim=pass (ok)

and Gmail said:

       spf=pass ( domain of mark at designates as permitted sender) smtp.mailfrom=mark at;

According to logs, Postfix opendkim signed the message before it was
processed by MailScanner so my DKIM sig was there and MailScanner didn't
break it, however, if MailScanner does any disarming of web bugs or
suspected phishing URLs or the like, it will certainly break the sig.

For incoming mail I'm not so fussy, but my ruleset says Place New
Headers At Top Of Message = Yes for certain messages that actually get
forwarded to a remote ISP that calls them spam if the sig is broken, but
ultimately I don't scan those messages at all (per a Scan Messages
ruleset) because of MailScanner body changes for disarming.

Mark Sapiro <mark at>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list