[lug] Re: DomainKeys/DKIM
lists at macferrin.com
Wed Jan 10 16:19:05 MST 2007
Sean Reifschneider wrote:
> On Mon, Jan 08, 2007 at 10:58:54AM -0700, Ken MacFerrin wrote:
>> when implementing SPF & DKIM on my smarthost. The only workaround I
> Speaking of DKIM, what are you using for it and how is that working out for
> you? I recently added DomainKeys to our mail server and then realized
I'm currently using Postfix 2.3.4 with a slightly patched and compiled
version of the sendmail DomainKeys milter (dk-milter) for both outgoing
DomainKeys signing and incoming verification and then using the SA
Mail::SpamAssassin::Plugin::DKIM for incoming DKIM verification scoring.
I also installed dkim-filter and started experimenting with it but had
an issue with rsa-sha256 not being installed on my VPS and shelved it
until I have some time to get it working.
> there wasn't a good way to tell if a domain was publishing DomainKeys for
> it's domains. I tried relying on them publishing a _domainkey record in
> their zone, but then ran into places that were using a wildcard and my
> server though they were doing it when they weren't.
I've kept my DK domains in testing mode and haven't yet actually moved
to rejecting mail based solely based on a DK failure but DK-milter
attempts a DK lookup on every incoming email and adds the following
header info to each incoming mail that has published DK records and
passes or fails the DK lookup:
Authentication-Results: mail.macferrin.com From=email at yahoo.com;
Received: (qmail 502 invoked by uid 60001); 10 Jan 2007 22:45:46 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
For messages that do not have any valid DK record info published it does
not add a header but instead leaves the following message in my mail log.
dk-filter: C9ED32C0EC74: syntax error in signature data
So far I've had it implemented for about 6 months and it's been reliable
without adding much in the way of processing overhead.
More information about the LUG