> It would be nice if the DKIM implementation would also retrieve the policy
> record (_domainkey.domain.tld and the _adsp._domainkey.domain.tld) when it
> exists, and place the results in $dkim_xxxx variables.
>
> That way it would be possible to deny messages that are unsigned, but policy
> states it signs all messages. I've tried doing it myself with dnsdb lookups,
> but that became way too complex.
To me, you need two things for ADSP: Check all required signers, not
just those contained in signatures:
dkim_verify_signers = ${map{${addresses:$h_from:}}{${domain:$item}}}:$dkim_signers
And check the ADSP record:
condition = ${if eq {$dkim_key_testing}{1} {false} {true}}
dkim_status = none:invalid:fail
condition = ${if match {${lookup dnsdb{txt=_adsp._domainkey.$dkim_cur_signer}}} {^dkim[ ]*=[ ]*discardable} {true} {false}}
The second is just an idea, and may be wrong, because it does not
look too complex. ;)
Of course you need to sign mails by all required signers. The patch
I offered for discussion addresses that.
Michael