• Home
• About
• Download
• Contact, Support & Imprint
• License & Disclaimer
• Roadmap
• Changelog
• Tutorials
  • Install
  • Configure Doorman Server
  • Configure Detective server
  • Doorman and Detective interaction
• Configuration
  • Cache & Database
  • Defender
  • Detective
    • Archive
    • Bogofilter
    • ClamAV
    • CRM114
    • DeepDNSBL
    • DKIM Sign
    • DKIM Verify
    • DSPAM
    • HoneyCollector
    • Razor
    • SpamAssassin
  • Doorman
    • Association
    • Basic
    • CWL and CBL
    • DNSBL
    • Geo Weight
    • Greylist
    • Honeypot
    • Sender Permit
    • SPF

DKIM Sign

Description

This module takes care of signing outgoing mails with private keys.

What is DKIM ?

DKIM stands for DomainKeys Identified Mail and is a method to assure that the sender of the mail is the responsible sender (eg the domain holder) and not a fraudulent third party (a spammer). In short: the domain holder deposits a public key in a specific TXT zone record. The outgoing MTA signs part of the mail (some headers) of the outgoing mail with the private key only he knows. The receiving MTA can validate the mail (the signed parts) against the public key deposited in the TXT record. Voila: the sender is verified, cause only the original domain owner has the private key.

Critics

Not all parts of the mail can be signed, because the mail has to be transported and any mail server on the way should be ably to inject (not modify) headers, eg Received or some SPAM filter X-headers. Thus, any spammer can inject at least some headers. Furthermore, DKIM does not sign the body (most stime), because it might be altered or re-encoded (eg 8bit -> quoted-printable), which is also a huge loop hole for altering the message.

Also: any spammer can get himself a legal domain and deposit his public key there. Receiving a valid signed mail does not imply at all, that it is not SPAM. Only the opposite, receiving a not validated mail, might denote the mail is SPAM.

Configuration

Please read first:

• default configuration
  • disable
  • max_size

sign_key

Default: none
Allowed values: Path to private key
Required: no

Path to single private sign key. If sign directory is set as well, this will be used as fallback.

sign_key_dir

Default: none
Allowed values: Path to directory
Required: no

Path to a directory containing sign keys named by domain.. example:

/path/to/sign-dir/mydomain.tld.key
/path/to/sign-dir/otherdomain.tld.key

If any key is found it will take precedence over the default sign_key.

sign_algo

Default: rsa-sha1
Allowed values: String
Required: no

Which sign algorithm to use

sign_method

Default: relaxed
Allowed values: String
Required: no

Which sign method to use.

additional_headers

Default: none
Allowed values: Array[ String ]
Required: no

Additional headers, apart from the suggested default headers (See section 5.5 in http://www.ietf.org/rfc/rfc4871.txt )

Example

---

disable: 0
max_size: 0
timeout: 30

sign_key: /etc/decency/dkim/default.key
sign_key_dir: /etc/decency/dkim/domains
#sign_algo: rsa-sha1
#sign_method: relaxed
additional_headers:
    - X-Mailer

Performance

Very fast. The more headers included, the more time it might take. Can be CPU intensive, but not nearly as much as eg SPAM filtering.