Re: [exim] DKIM Question

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Dean Hamstead
CC: exim-users
Subject: Re: [exim] DKIM Question
On 2015-02-18 at 18:19 +1100, Dean Hamstead wrote:
> However, I would now like to enable it "globally" in the sense that i
> would like exim to do a dns lookup and see if DKIM is configured for a
> given domain - and if so then take action.
>
> I have had no success and havent been able to find a tutorial.
>
> Hopefully someone wiser can offer suggestions?


You need to figure out which domain counts; for DKIM that's normally
"From:", but if you do that, then you reject every mail sent from that
domain to a mailing-list which modifies body content.

The DNS record you're looking for is part of "ADSP", RFC 5617; since the
selector is variable, per message, you can't use a message missing a
selector to decide which DKIM record to look up, so that RFC specifies a
DNS label to use for "Author Domain Signing Practices".

Enforced ADSP only really makes sense for domains which only send
transactional email, unless you do a lot of custom munging and
special-casing in a rule system, to track "legitimate mailing-lists",
"domains publishing ADSP cluelessly", "domains with real users that
might be getting broken" and then start weighting and scoring.

But if you want to try this out for yourself, to see what breaks, then
it will be educational and useful; insight from pain is what leads to
better solutions. :) So go for it, and the above should provide you
with enough pointers to get started.

-Phil