Re: [exim] Exim 4.77 and understanding DKIM signature verifi…

Top Page

Reply to this message
Author: Phil Pennock
To: Jeremy Harris
CC: exim-users
Subject: Re: [exim] Exim 4.77 and understanding DKIM signature verification and DKIM ACL
On 2012-04-14 at 23:15 +0100, Jeremy Harris wrote:
> On 2012-04-14 22:04, Michael J. Tubby B.Sc G8TIC wrote:
> > One of the conditions that I'm not sure how we resolve (or even it it ever happens) is what we do if there are two signatures on an incoming message and one is good (pass) and one is bad (fail) - but I guess this is down to the ACL creator ;-)
> I'm not a DKIM user myself, but I see plenty of mails through my system
> that are described exactly like that.....

Most mailing-list software breaks DKIM signatures. Rejecting based on a
broken DKIM signature will reject mail from most mailing-lists where the
poster uses DKIM and the list ignores DKIM.

For instance: most mail from me.

(Some might regard that as a good thing.)

Before rejecting on bad DKIM signatures, you should look for other
indications of the message's origin and path to you and perhaps skip the
DKIM check accordingly. Pure DKIM is only worth rejecting on for
transactional mails that should not have gone through a mailing-list;
eg, Paypal notifications.