Re: [exim] "creative" policy for DKIM checking (57.2)

Top Page
Delete this message
Reply to this message
Author: Andrew C Aitchison
Date:  
To: exim-users
Subject: Re: [exim] "creative" policy for DKIM checking (57.2)
On Sat, 31 Dec 2016, Ian Zimmerman wrote:

> So, that section of the Spec says:
>
> Current DKIM verifiers may want to explicitly call the ACL for known
> domains or identities. This would be achieved as follows:
>
> dkim_verify_signers = paypal.com:ebay.com:$dkim_signers
>
> This would result in acl_smtp_dkim always being called for "paypal.com"
> and "ebay.com", plus all domains and identities that have signatures in
> the message. You can also be more creative in constructing your
> policy. For example:
>
> dkim_verify_signers = $sender_address_domain:$dkim_signers
>
> But I cannot see the point of doing either of these things.
>
> Either one of the prepended domains has a valid signature in the
> message, or none has. One way or the other, the final result of running
> acl_smtp_dkim for _all_ members of dkim_verify_signers is the same as if
> nothing were prepended.
>
> At least if the only decision I want to make is "one of
> dkim_verify_signers has a valid sig" versus "any other outcome".
> If I were to consider invalid and failing sigs things would be different.
> Is _that_ why this "creative" hook exists?


I think the docs were written before we knew how often things broke DKIM,
and almost certainly before DMARC.

IIUC the idea was that that writer/postmaster *knows* that paypal and ebay
always sign with dkim, so an unsigned message allegedly from those hosts
must be spam.