Re: [exim] Unsigned messages from DKIM domains

Top Page
Delete this message
Reply to this message
Author: Ivo Truxa
Date:  
To: Exim-users
Subject: Re: [exim] Unsigned messages from DKIM domains
> -----Original Message-----
> Richard Clayton
> <truxa@???> writes
> >I wanted to reject or tag unsigned messages coming from domains who enforce DKIM
> >on all their email in their DNS signing policy (DK,
> >DKIM, or ADSP).
>
> you probably don't want to reject on that basis (you wouldn't get mail
> from me for example)


Why wouldn't I? Do you use to send unsigned messages while claiming in the signing policies published in the DNS that all messages from your domain are supposed to be signed? In that case your email indeed deserves to be rejected. In the opposite case (you sign all, or you do not publish any policies, or allow unsigned mail), you are just fine, and your messages will pass through my mail server just fine.

> what you should be doing is consulting the DMARC policy for the domain
> where the domain owner will indicate whether you should reject unsigned
> email or mark it as spam (or do nothing).


I do, of course use DMARC too, but not every sender does. There are still many senders who only use DKIM (with or without SPF). That's also why I wrote the script is needed unless DMARC or SA helps to reject the message.

> Instead of designing your own policy engine you should, I think, be
> using DMARC for learning what policies domain owners have announced ...


This is no my own designing. That's a public standard. DKIM policies can be published in the DNS as TXT records in several forms:

- RFC4870 DomainKeys policies - _domainkey.DOMAIN
- early draft DKIM policies - _policy._domainkey.DOMAIN
- ADSP - _adsp._domainkey.DOMAIN


> >In the example above I exclude domains from the domain lists dkim_domains (list
> >of well-known and/or frequently used domains using
> >DKIM, such as Paypal, Ebay, Google, various banks, etc.)
> ... in particular these companies are exactly those for which I am sure
> you will find DMARC records


Exactly! That's also one of the reasons I exclude them.

Cheers,
Ivo Truxa