Tom Collins wrote: > Bill (and others), > > I noticed that your latest toaster patches include support for > DomainKeys. I've just read the informative Wikipedia article on DK > <http://en.wikipedia.org/wiki/Domainkeys>, but have some questions on > how you are using DK. > > One of my clients had a recent email from PayPal get tagged as spam, and > I noticed in the headers that PayPal is signing their outbound email. > What will I gain by updating my qmail-smtpd with DomainKeys support? > Will it only accept properly signed messages? At that point, do I > enable some rules in SpamAssassin to give preference to signed emails? > Will I need to someday create and manage a list of blacklisted domains > that use DomainKeys? > > I understand the benefit of signing outbound mail, but I assume that I > would be signing all messages with my domain name, and not the virtual > domain of each customer. Has anyone explored a method of creating keys > for each domain hosted, and signing based on the domain of the > authenticated (SMTP AUTH) sender?
Conceptually, it's not that different than SPF, except instead of looking at authorized IP range, it looks at signatures. You have similar flexibility in how you want to treat failures - allow them in, defer them, or reject them. For incoming mail, this set in the DKVERIFY environment. As far as outbound mail goes, it's also flexible in that you can have a system wide signature, or per domain signatures (different keys for each domain). These settings are in the DKSIGN environment. If "%" is contained in DKSIGN, signing is based on the From header, not the domain used in smtp-auth. I haven't explored otherwise. The qmail-dk man page goes through all the options pretty thoroughly. I have my options set pretty conservatively at the moment, and am not rejecting any mail. I have not looked into SpamAssassin's DK support yet either. Regards, Bill
