Yahoo Groups archive

Milter-greylist

Index last updated: 2026-04-28 23:32 UTC

Thread

DKIM

DKIM

2008-09-29 by Ondrej Valousek

Hi List,

I was thinking about the DKIM support recently, and I must say I am not
sure about its usefulness.
Why?
1. DACL only. Even worse, at rcpt stage you can not even say whether the
message is going to be DKIM signed or not. Is there any list of domains
*always* using DKIM? I am not aware of it.
2. Even if we had a list of DKIM-friendly domains, what would we do if
we received a mail without a DKIM signature (and it should have one)?
Are we entitled to trash it?
3. My feeling is that we would probably never receive a mail with a
false DKIM identification. Why? A common spammer would probably never
sign his mail and if he does, the identification would be positive.

I would like to have the following construction:

racl whitelist from /.*@yahoo\.com/
racl greylist default delay 15m
dacl whitelist from dkim pass
dacl blacklist from /.*@yahoo\.com/ dkim none
dacl blacklist dkim [fail, unknown,error]



(note I am not sure whether I can use the construction in the last case,
but it is quite obvious what I was after...)
Now, if the above worked and was SAFE, it would be absolutely perfect.
But.... is it safe?

And if it was, is there any DNSRWL of all domains using DKIM so I do not
have to type them one by one?
Or better, it would be nice if mg could cache all mails that passed
greylisting and valid dkim signature was found so they can be
whitelisted at the RCPT stage later....

I am looking for opinions and other suggestions here. It would be nice
if we could make use of the DKIM support once it is here. According to
the http://utility.nokia.net/~lars/meter/dkim.html is DKIM fairly widely
adopted....

Ondrej

Re: [milter-greylist] DKIM

2008-09-29 by Petar Bogdanovic

On Mon, Sep 29, 2008 at 11:57:28AM +0200, Ondrej Valousek wrote:
> Hi List,
> 
> I was thinking about the DKIM support recently, and I must say I am not
> sure about its usefulness.
> Why?
> 1. DACL only. Even worse, at rcpt stage you can not even say whether the
> message is going to be DKIM signed or not. Is there any list of domains
> *always* using DKIM? I am not aware of it.
> 2. Even if we had a list of DKIM-friendly domains, what would we do if
> we received a mail without a DKIM signature (and it should have one)?
> Are we entitled to trash it?
> 3. My feeling is that we would probably never receive a mail with a
> false DKIM identification. Why? A common spammer would probably never
> sign his mail and if he does, the identification would be positive.
> 
> I would like to have the following construction:
> 
> racl whitelist from /.*@yahoo\.com/
> racl greylist default delay 15m
> dacl whitelist from dkim pass
> dacl blacklist from /.*@yahoo\.com/ dkim none
> dacl blacklist dkim [fail, unknown,error]
> 
> 
> 
> (note I am not sure whether I can use the construction in the last case,
> but it is quite obvious what I was after...)
> Now, if the above worked and was SAFE, it would be absolutely perfect.
> But.... is it safe?
> 
> And if it was, is there any DNSRWL of all domains using DKIM so I do not
> have to type them one by one?

draft-ietf-dkim-ssp-03 should cover this, but it's still draft:

	This document describes the records that authors' domains can
	use to advertise their practices for signing their outgoing
	mail, and how other hosts can access those records.

http://tools.ietf.org/html/draft-ietf-dkim-ssp-03

Re: {Disarmed} [milter-greylist] DKIM

2008-09-29 by Kai Schaetzl

Ondrej Valousek wrote on Mon, 29 Sep 2008 11:57:28 +0200:

> I am looking for opinions and other suggestions here. It would be nice
> if we could make use of the DKIM support once it is here. According to
> the http://utility.nokia.net/~lars/meter/dkim.html is DKIM fairly widely
> adopted....

These figures are *very* misleading. AFAIK, only the big mail providers 
and a few enterprises and others are using it. They seem to have tested 
only these. They didn't use random domains for sure. This *may* or may not 
represent the overall mailflow. But it doesn't give any figure about how 
many domains out of a countries total active domains actually use it. That 
figure is rather < 1% (less than one per cent).

Doesn't invalidate your basic concept, though. But how would this be 
different from SPF checking in the same way? Per my understanding SPF 
takes *much* less ressources than DKIM.


Kai

-- 
Kai Sch\ufffdtzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.