Hello Thomas,
I still find domains in the DKIMCache which do not use DKIM, but do have
DMARC policy. Subsequently, messages from that domains which do not
arrive signed get undeserved score.
What has changed within last few months is that many domains got a DMARC
entry, but do not use DKIM, I guess because a big player decided that
any domain that sends e-mails shall have one.
The sub DKIMCacheAdd is called in sub DKIMpreCheckOK_Run, sub DMARCok
and sub DKIMOK_Run.
- Can you please check and make sure that sub DKIMCheckAdd is called
only for domains for which there is a signature in the e-mail which
exactly matches the sender (from) domain?
- Can you add debug output so adding a domain to DKIMCache gets logged
and we can identify which e-mails get a domain added to DKIMCache where
it should not get added?
In sub DMARCok:
if (! $this->{DMARC_arc} && $DKIMCacheStrict) {
DKIMCacheAdd($this->{dmarc}->{domain}) if $this->{dmarc}->{domain} &&
$this->{dmarc}->{domain} ne $this->{dmarc}->{dom};
DKIMCacheAdd($this->{dmarc}->{dom}) if $this->{dmarc}->{dom};
for my $dom (@{$this->{dmarc}->{DKIMdomains}}) {
DKIMCacheAdd($dom) if $dom && $dom ne $this->{dmarc}->{domain} && $dom ne
$this->{dmarc}->{dom};
}
}
Do I understand correctly that the domain will get added to DKIMCache if
the message does not contain ARC and $DKIMCacheStrict is true - no
matter if the domain actually uses DKIM?
As many domains have DMARC entry in the DNS but do not use DKIM - is
this the source of the problem?
In sub DKIMpreCheckOK_Run:
DKIMCacheAdd($domain) if $dkimdomain && ($qdtxt ne 'unknown' ||
$DKIMCacheStrict);
- Can you please check that $dkimdomain is true only if the domain
really uses DKIM keys?
Please let me know if I can help any further.
Thank you very much in advance,
best regards,
Zrin
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
