Alexis,
> I enabled the DK/DKIM plugins in my SA 3.1.7 setup and I see that the
> default scores for their tests are negligible, presumably because
> they're still a bit experimental.
>
> Is anyone using these and can suggest appropriate scores for these
> plugins, or are these really just too unripe for serious use at the
> moment?
One thing worth noting first: the current verision 0.22 of Mail::DKIM
handles both the DKIM as well as older DomainKeys signatures,
and is better maintained and more optimal than Mail::DomainKeys.
This means that one can now safely disable the SA plugin for
DomainKeys and just keep the DKIM plugin, it will cover for both.
Next, the most important role for DKIM/DK is to be able to safely
whitelist sender domains, or to penalize somewhat the mail claiming
to be coming from domains that are known to be signing all mail
(like yahoo and gmail.com), but do not bear a valid sigature.
I say 'somewhat' because some mailing list also corrupt signatures,
and some people use gmail/yahoo sending address even when posting
through some other ISP. Before this practice is rooted out,
one should probably not score invalid signature from these
two domains too harshly.
Regarding scoring of a mere presence of a valid signature, this is
not a good indication of spam/ham. Some types of spam carry a valid
signature from throw-away (kitted) domains, so although a little
bit of favourizing a valid signature is a good thing (providing
incentive for more people to start signing their mail), the bonus
points should not be too high (without also being associated with
known to be nonspamming domains, i.e. whitelist_from_dkim).
Here are some DKIM-related rules that I use.
Don't use these blindly without understanding the topic.
# slightly favourize a mere presence of a valid signature
score DKIM_VERIFIED -1.5
score DKIM_POLICY_TESTING 0
# whitelist some known-to-be-honest domains
score USER_IN_DKIM_WHITELIST -12
whitelist_from_dkim [EMAIL PROTECTED] paypal.com
# add some penalty points to mail from yahoo and gmail.com which
# does not carry a valid signature; exempt mail from mailing lists
header __L_ML1 Precedence =~ m{\b(list|bulk)\b}i
header __L_ML2 exists:List-Id
header __L_ML3 exists:List-Post
header __L_ML4 exists:Mailing-List
header __L_HAS_SNDR exists:Sender
meta __L_VIA_ML __L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 || __L_HAS_SNDR
header __L_FROM_Y1 From:addr =~ [EMAIL PROTECTED]
header __L_FROM_Y2 From:addr =~ [EMAIL PROTECTED](ar|br|cn|hk|my|sg)$}i
header __L_FROM_Y3 From:addr =~ [EMAIL PROTECTED](id|in|jp|nz|uk)$}i
header __L_FROM_Y4 From:addr =~ [EMAIL
PROTECTED](ca|de|dk|es|fr|gr|ie|it|pl|se)$}i
meta __L_FROM_YAHOO __L_FROM_Y1 || __L_FROM_Y2 || __L_FROM_Y3 || __L_FROM_Y4
header __L_FROM_GMAIL From:addr =~ [EMAIL PROTECTED]
meta L_UNVERIFIED_YAHOO !DKIM_VERIFIED && __L_FROM_YAHOO && !__L_VIA_ML
priority L_UNVERIFIED_YAHOO 500
score L_UNVERIFIED_YAHOO 2.5
meta L_UNVERIFIED_GMAIL !DKIM_VERIFIED && __L_FROM_GMAIL && !__L_VIA_ML
priority L_UNVERIFIED_GMAIL 500
score L_UNVERIFIED_GMAIL 2.5
Mark
