Re: [exim] dkim verification

Seems like SPF accomplishes much of the same thing and is much easier
to implement. The only place SPF falls short is like you mentioned is
when mail is forwarded by another server. But that server can be
added to the SPF record as well I would think.

Matt


> This is my understanding of dkim:
>
> Each mail server relaying a message will sign that message. Typically only the
> server authoritative of sending mails for a specific domain (like spf) will
> do this. E.g. gmail will dkim-sign all outgoing mails if you send them over
> their smtp servers.
>
> Exim's dkim code will read the incoming mail and parse all dkim signatures
> found in this mail. After this, you can use ${lookup dkim{...}} to check if
> this mail has been signed for a specific domain. You can use the domain part
> of the From-header field and/or from the envelope from. This will tell you,
> if they have been forged.
> This can be handy if some wants their mail forwarded. First you check the
> envelope address. It will not be correct of course (the mail has been
> forwarded). Then you check the From-header address. It will be correct.
> Therefore you can accept the mail as from the authoritative server.
> In my understanding, at least one of those two address must be valid to accept
> a mail. This can of course only be done for those domains that typically sign
> ALL their outgoing mails with dkim. If at least on "correct" mail is
> unsigned, dkim is useless.
>
> gmail really signs its mails and it is therefore very easy to discard gmail
> spam because the spam from gmail addresses is not send over gmail's mail
> servers and is therefore not dkin signed... at least that kind of spam I get
> from gmail addresses.