[lug] Re: DomainKeys/DKIM

Ken MacFerrin lists at macferrin.com
Wed Jan 10 16:19:05 MST 2007 

Sean Reifschneider wrote:
> On Mon, Jan 08, 2007 at 10:58:54AM -0700, Ken MacFerrin wrote:
>> when implementing SPF & DKIM on my smarthost.  The only workaround I
> 
> Speaking of DKIM, what are you using for it and how is that working out for
> you?  I recently added DomainKeys to our mail server and then realized

I'm currently using Postfix 2.3.4 with a slightly patched and compiled
version of the sendmail DomainKeys milter (dk-milter) for both outgoing
DomainKeys signing and incoming verification and then using the SA
Mail::SpamAssassin::Plugin::DKIM for incoming DKIM verification scoring.

I also installed dkim-filter and started experimenting with it but had
an issue with rsa-sha256 not being installed on my VPS and shelved it
until I have some time to get it working.

http://www.elandsys.com/resources/sendmail/domainkeys.html
http://www.elandsys.com/resources/sendmail/dkim.html

> there wasn't a good way to tell if a domain was publishing DomainKeys for
> it's domains.  I tried relying on them publishing a _domainkey record in
> their zone, but then ran into places that were using a wildcard and my
> server though they were doing it when they weren't.

I've kept my DK domains in testing mode and haven't yet actually moved
to rejecting mail based solely based on a DK failure but DK-milter
attempts a DK lookup on every incoming email and adds the following
header info to each incoming mail that has published DK records and
passes or fails the DK lookup:

Authentication-Results: mail.macferrin.com From=email at yahoo.com;
domainkeys=pass (testing)
Received: (qmail 502 invoked by uid 60001); 10 Jan 2007 22:45:46 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com;
b=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding;
b=hjBFZP2RmGcZ/g56lfC9RHjdpEmeZLA6fwDCFajkK1LjCUOLkeWSjQzLFBWlNJ4CurBIxwpn3Cwy7589cWCsm7yiRWRN6gzxN6TS7ojD7GbbptP9cUFgRld++LcloEVbcSzj5k+ydPbVE9D8ZLoY26oX7BAMOESJiFJHZiZkcek=
;

For messages that do not have any valid DK record info published it does
not add a header but instead leaves the following message in my mail log.

dk-filter[2420]: C9ED32C0EC74: syntax error in signature data

So far I've had it implemented for about 6 months and it's been reliable
without adding much in the way of processing overhead.
-Ken

More information about the LUG mailing list