Re: [exim] Unsigned messages from DKIM domains

Top Page
Delete this message
Reply to this message
Author: Richard Clayton
Date:  
To: Exim-users
Subject: Re: [exim] Unsigned messages from DKIM domains
In message <001001d26b44$738a0920$5a9e1b60$@???>, Ivo Truxa
<truxa@???> writes

>I wanted to reject or tag unsigned messages coming from domains who enforce DKIM
>on all their email in their DNS signing policy (DK,
>DKIM, or ADSP).


you probably don't want to reject on that basis (you wouldn't get mail
from me for example)

what you should be doing is consulting the DMARC policy for the domain
where the domain owner will indicate whether you should reject unsigned
email or mark it as spam (or do nothing).

This allows companies to migrate from a non-signed environment to a
fully signed environment in a gradual way (the DMARC reports allow them
to chase down departments or individuals who are not yet signing without
having to have a "flag day" when email suddenly fails for those who are
not using the standard systems)

>https://github.com/truxoft/dkim_policy


Instead of designing your own policy engine you should, I think, be
using DMARC for learning what policies domain owners have announced ...

>In the example above I exclude domains from the domain lists dkim_domains (list
>of well-known and/or frequently used domains using
>DKIM, such as Paypal, Ebay, Google, various banks, etc.)


... in particular these companies are exactly those for which I am sure
you will find DMARC records

- -- 
richard                                                   Richard Clayton


Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755