Whitelisting DKIM-signed domains is a bad idea for at least two reasons: mass-mailing services, and spammers who send from real addresses of people whose passwords were easy to guess.
Sent from ProtonMail Mobile On Sat, Oct 7, 2017 at 11:41 PM, Matthias Leisi <matth...@leisi.net> wrote: > Last week at the 41st M3AAWG meeting in Toronto there was considerable > interest in domain-based whitelisting information when I presented the > dnswl.org project. Obviously, this needs to be authenticated, and that’s what > we have DKIM for. > > We created an experimental list dwl.dnswl.org (subject to change without > prior notice yaddayadda, with minimal infrastructure etc - don’t use it in > production yet!), which works like a regular domain- or hostname-based > blacklist would. More details are here https://www.dnswl.org/?p=311, but in a > nutshell that’s how it could be implemented in SpamAssassin (put it in your > local.cf or in some similarly convenient place): > > ifplugin Mail::SpamAssassin::Plugin::AskDNS > > askdns DNSWL_DWL_HI _DKIMDOMAIN_.dwl.dnswl.org A /^127.d+.d+.3/ > tflags DNSWL_DWL_HI nice net > describe DNSWL_DWL_HI dwl.dnswl.org high trust > score DNSWL_DWL_HI -5 > > askdns DNSWL_DWL_MED _DKIMDOMAIN_.dwl.dnswl.org A /^127.d+.d+.2/ > tflags DNSWL_DWL_MED nice net > describe DNSWL_DWL_MED dwl.dnswl.org medium trust > score DNSWL_DWL_MED -2 > > askdns DNSWL_DWL_LOW _DKIMDOMAIN_.dwl.dnswl.org A /^127.d+.d+.1/ > tflags DNSWL_DWL_LOW nice net > describe DNSWL_DWL_LOW dwl.dnswl.org low trust > score DNSWL_DWL_LOW -1 > > askdns DNSWL_DWL_NONE _DKIMDOMAIN_.dwl.dnswl.org A /^127.d+.d+.0/ > tflags DNSWL_DWL_NONE nice net > describe DNSWL_DWL_NONE dwl.dnswl.org listed, but no particular trust > information available > score DNSWL_DWL_NONE -0.1 > > endif # Mail::SpamAssassin::Plugin::AskDNS > > Note that this only works on DKIM-signed domains (DKIM_VALID). > > Any inputs or thoughts are highly appreciated. > > — Matthias, for the dnswl.org project
