DomainKeys/DKIM (was: Re: [lug] "Simple" mail MTA setup?)
jafo at tummy.com
Tue Jan 9 00:44:34 MST 2007
On Mon, Jan 08, 2007 at 10:58:54AM -0700, Ken MacFerrin wrote:
>when implementing SPF & DKIM on my smarthost. The only workaround I
Speaking of DKIM, what are you using for it and how is that working out for
you? I recently added DomainKeys to our mail server and then realized
there wasn't a good way to tell if a domain was publishing DomainKeys for
it's domains. I tried relying on them publishing a _domainkey record in
their zone, but then ran into places that were using a wildcard and my
server though they were doing it when they weren't.
It looks like DKIM *WANTS* to solve this, but reading the specification it
seems that they haven't yet specified how this will happen.
Currently, my system requires DomainKeys from gmail and yahoo, I just
hard coded that in there (if mailfrom.endswith('@gmail.com')). Still,
seems to be working well, stats from yesterday:
Client Whitelist | 554
Greylist | 446
Passed | 245
SPF | 84
GIF Attachment | 55
DomainKeys | 21
SpamAssassin | 10
ClamAV | 9
Client Blacklist | 2
21 messages rejected by DomainKeys. Yay. Note that the whitelist includes
test messages that are generated every 5 minutes, which accounts for nearly
300 right there. Greylisting is still quite effective (that is 446
messages that hit greylisting but did not then send another message through
within the next 4 hours).
The GIF Attachment limit has really helped cut down the crap. It's been
Over the week between xmas and new year I implemented a new mail setup
and the spam volume REALLY dropped off.
The best way to predict the future is to invent it.
-- Alan Kay
Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995: Ask me about High Availability
More information about the LUG