How are you testing your DKIM or how are you expecting it to work?
On my email relays I implement a couple of rules:
1. some domains ("known signers") must have a DKIM signature and it
must be valid. This is used for domains like google, yahoo etc.
2. if an email has a DKIM signature then I expect it to be (a)
both for the correct domain and (b) to validate.
My DKIM handling predates DMARC.
I have logic that is more-or-less this:
if (sender_domain == known_signer) {
if (dkim_signature == ok) {
accept;
} else if (cannot get public key) {
defer; //421 Cannot get your DKIM public key
} else {
reject; // 550 bad DKIM signature
}
} else if (email has DKIM signature) {
if (DKIM signature for sender_domain) {
if (dkim_signature == ok) {
accept;
} else if (cannot get public key) {
defer; //421 Cannot get your DKIM public key
} else {
reject; // 550 bad DKIM signature
}
} else {
reject; // 550 DKIM signature for wrong domain
}
}
There are still problems with emails that have two or more DKIM
signatures, for example where emails that go through mailing lists where
the sender's DKIM is on and the mailing list adds a DKIM signature.
Personally I think this should be treated as "transit in" (to the
mailing list) where the originators DKIM should be checked and then
stripped/removed and "transit out" where the list's DKIM should be
added, instead.
I have to have a further whitelist to fix these anomalies ... so it gets
pretty complex.
Mike
On 8/10/2016 7:55 PM, Chris Knipe wrote:
> Hi,
>
> In an effort to fight spam, can someone suggest a ACL that will reject any
> mail signed with a specific DKIM?
>
> I have spam incoming that is signed with a static DKIM, but sender /
> envelopes seems to be random rubish... Would be good to be able to just
> reject the mail if signed with a specific DKIM in this case.
>
>