On Mon, Dec 08, 2008 at 02:01:05AM +0100, mouss wrote:
> > The other question is what do most people do with the check on the DKIM
> > if a message fails, reject outright? Won't this mess up any forwarded
> > mail?
> >
>
> I wouldn't reject. I actually leave verification to spamassassin.
It would sure help to read the DKIM RFC, mail with a failed signature must
be treated as though the message is unsigned. DKIM is an authentication
mechanism, that can be used for whitelisting (positive reputation),
it is NOT to be used for detecting junk email.
For now there are no worthy publically avaiable positive reputation
databases where you can query the DKIM domain, so the whitelisting
is done on a case-by-case basis at each receiving domain.
The SSP (sender-signing-policy) RFC is AFAIK not yet published, and
IMHO has serious design flaws, so I don't expect to see broad support
for using SSP to reject mail from the few domains that will be in
a position to make SSP assertions.
The marketing departments of various technology shops that tell you
that DKIM can help you fight "phishing" are I believe at misguided
or guilty of wishful thinking.
Do NOT use DKIM to reject unsigned mail or mail with a broken signature.
If you don't intend to whitelist any DKIM senders, don't both validating
DKIM signatuers, there is little point in doing so.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[EMAIL PROTECTED]>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
