• Home
• About
• Download
• Contact, Support & Imprint
• License & Disclaimer
• Roadmap
• Changelog
• Tutorials
  • Install
  • Configure Doorman Server
  • Configure Detective server
  • Doorman and Detective interaction
• Configuration
  • Cache & Database
  • Defender
  • Detective
    • Archive
    • Bogofilter
    • ClamAV
    • CRM114
    • DeepDNSBL
    • DKIM Sign
    • DKIM Verify
    • DSPAM
    • HoneyCollector
    • Razor
    • SpamAssassin
  • Doorman
    • Association
    • Basic
    • CWL and CBL
    • DNSBL
    • Geo Weight
    • Greylist
    • Honeypot
    • Sender Permit
    • SPF

DKIM Verify

Description

This module takes care of verifying incoming mails against their public keys.

What is DKIM ?

DKIM stands for DomainKeys Identified Mail and is a method to assure that the sender of the mail is the responsible sender (eg the domain holder) and not a fraudulent third party (a spammer). In short: the domain holder deposits a public key in a specific TXT zone record. The outgoing MTA signs part of the mail (some headers) of the outgoing mail with the private key only he knows. The receiving MTA can validate the mail (the signed parts) against the public key deposited in the TXT record. Voila: the sender is verified, cause only the original domain owner has the private key.

Critics

Not all parts of the mail can be signed, because the mail has to be transported and any mail server on the way should be ably to inject (not modify) headers, eg Received or some SPAM filter X-headers. Thus, any spammer can inject at least some headers. Furthermore, DKIM does not sign the body (most stime), because it might be altered or re-encoded (eg 8bit -> quoted-printable), which is also a huge loop hole for altering the message.

Also: any spammer can get himself a legal domain and deposit his public key there. Receiving a valid signed mail does not imply at all, that it is not SPAM. Only the opposite, receiving a not validated mail, might denote the mail is SPAM.

Configuration

Please read first:

• default configuration
  • disable
  • max_size

weight_pass

Default: 15
Allowed values: Integer
Required: no

Scoring for passed mails, meaning: there is a DKIM verification header and the mail can be verified.

weight_fail

Default: -50
Allowed values: Integer
Required: no

Scoring for failed mails, meaning: there is a DKIM verification header and the mail can NOT be verified.

weight_invalid

Default: -25
Allowed values: Integer
Required: no

The signature cold not be checked because of the signature header or the public key record.

weight_temperror

Default: 0
Allowed values: Integer
Required: no

Some temp error, eg the public key could not be retrieved.

weight_none

Default: 0
Allowed values: Integer
Required: no

There is no signature. Therefore no check.

Postfix configuration

If you want to enable DKIM verification, you have to disable the automatic output conversion, or postfix will encoding all 8bit, binary and so on to quoted-printable (7bit), which can change headers and thus corrput the signed headers. This can be achieved by this:

-o disable_mime_output_conversion=yes

Performance

Very fast, cause, most of the time, only the headers have to be parsed and verified. Can be CPU intensive, but not nearly as much as eg SPAM filtering.