Re: DKIM Score

Tue, 16 Aug 2016 01:30:18 -0700

On Tue, 16 Aug 2016 09:00:12 +0100, Merijn van den Kroonenberg <mer...@web2all.nl> wrote: 




Besides, can I change the lines as following?

header      __DKIM_REQUIRED From:addr =~ /\@(example\.com)$/i
header      __DKIM_REQUIRED From:addr =~ /\@( example\.org)$/i
header      __DKIM_REQUIRED From:addr =~ /\@( example\.nl)$/i
.
.


As I have lots of domain to handle.


You could script the generation of a single line like Bill Cole suggested
(and you can use include files in the config to make this easier).

However I am curious about the performance of a rule like that with a lot
of domains in it.



Probably even more of a performance nightmare, but possibly easier to  
maintain could be something like:


header __FROM_EXAMPLECOM From:addr =~ /\@(example\.com)$/i
header __FROM_EXAMPLEORG From:addr =~ /\@( example\.org)$/i
header __FROM_EXAMPLENL  From:addr =~ /\@( example\.nl)$/i


meta __DKIM_REQUIRED ( __FROM_EXAMPLECOM || __FROM_EXAMPLEORG ||  
__FROM_EXAMPLENL )


Horses for courses really.


Alternatively you could also set up a dns based list of sender domains.  
In

fact I have been wondering if someone is maintaining a list like that.

Because I guess a lot of people must be doing similar things on their  
own.

Eg. we require dkim of spf to be present for some local bank domains.
Especially banks and the like have already a policy, often specified on
their site, for which of their domains require dkim or spf.

Would there be a point in a central, maybe self maintained dns based
domain list where organisations can register domains as 'requiring'
dkim/spf? Sort of an explicit opt-in for organisations who really know
they have everything correctly set-up.



Whilst not really what you're talking about you could take a look at  
http://dkimwl.org/ - it certainly shows that a DNS check for DKIM signed  
domains is a plausible endeavour. To use your bank example a result of  
127.0.10.5 from DKIMWL would show a bank that is highly trusted, if that  
fails DKIM then you end up with roughly what you're trying to do.



Of course you may not like their listing policy, which is where these  
things can come undone, but the granular nature of their results might be  
enough to give you a start and see how happy you are with it in practice.  
The big issue for most people in respect of any DNS method is it's  
unlikely to reference the domains they manage so there would still be a  
need for additional rules for local domains. Perhaps throw in metas like  
the ones above.






















					Reply via email to