DomainKeys/DKIM (was: Re: [lug] "Simple" mail MTA setup?)

Sean Reifschneider jafo at
Tue Jan 9 00:44:34 MST 2007

On Mon, Jan 08, 2007 at 10:58:54AM -0700, Ken MacFerrin wrote:
>when implementing SPF & DKIM on my smarthost.  The only workaround I

Speaking of DKIM, what are you using for it and how is that working out for
you?  I recently added DomainKeys to our mail server and then realized
there wasn't a good way to tell if a domain was publishing DomainKeys for
it's domains.  I tried relying on them publishing a _domainkey record in
their zone, but then ran into places that were using a wildcard and my
server though they were doing it when they weren't.

It looks like DKIM *WANTS* to solve this, but reading the specification it
seems that they haven't yet specified how this will happen.

Currently, my system requires DomainKeys from gmail and yahoo, I just
hard coded that in there (if mailfrom.endswith('')).  Still,
seems to be working well, stats from yesterday:

   Client Whitelist |   554
   Greylist         |   446
   Passed           |   245
   SPF              |    84
   GIF Attachment   |    55
   DomainKeys       |    21
   SpamAssassin     |    10
   ClamAV           |     9
   Client Blacklist |     2

21 messages rejected by DomainKeys.  Yay.  Note that the whitelist includes
test messages that are generated every 5 minutes, which accounts for nearly
300 right there.  Greylisting is still quite effective (that is 446
messages that hit greylisting but did not then send another message through
within the next 4 hours).

The GIF Attachment limit has really helped cut down the crap.  It's been

Over the week between xmas and new year I implemented a new mail setup
and the spam volume REALLY dropped off.

 The best way to predict the future is to invent it.
                 -- Alan Kay
Sean Reifschneider, Member of Technical Staff <jafo at>, ltd. - Linux Consulting since 1995: Ask me about High Availability

More information about the LUG mailing list