On Wed, 5 May 2021, at 15:38, Gregory Anders wrote: > Has anyone attempted this, and if so would you be willing to share?
I had the following two setups related to that over time: (a) When I had my own Postfix mail server, I had rspamd add a _short_ extra header to emails which pass DKIM validation. (b) Similary, at my current paid email hosting, they automatically add a rather complex Authentication-Results header to incoming email that contains the required info. I had a Sieve script configured that adds, if dkim=pass, a short extra header just like in (a) In both cases, I then just instructed mutt to show the short custom header when viewing email, in color, so it was easy to see which emails were authenticated and which were not. DKIM validation is necessarily an online thing to do unless you know the current DKIM keys of the involved parties in advance, and/or do caching. Should you attempt DKIM authentication, I would not make it an ad-hoc validation at view time, but always at email reception time, since the DKIM keys for any party involved in the authenticated chain may also change over time without the DKIM selectors changing, or the parties take their old DKIM selectors offline after rotating (! you'd be surprised how many postmasters get so much wrong), so after some time, it is almost guaranteed for DKIM validation on already received messages to fail. In fact, I believe that if you do DKIM validation an hour after the email has been delivered over SMTP, it is already too late. This is significantly different from offline and ad-hoc PGP signature validation, esp. more complex due to the many parties involved. You can still check if a signature of an expired key on an old message is good, but what do you do with a message that suddently starts failing DKIM authentication? In the latter case, the authentication result at view time is useless. These days, I rely on the spam filter as a proxy for passing DKIM authentication.
