Jerry Malcolm wrote:
> I have a question about how SA's DKIM rules apply to virtual hosting. If
> "myhosting.com" hosts and sends mail for "JoesFlowers.com", does SA check
> the signature for "myHosting.com", for "JoesFlowers.com", or both? Or is
> there some criteria to determine which domain name should have the DKIM
> signature? Is there a penalty score if one or the other is missing?
Let's pick apart your message to the list and see! :-)
I'll abbreviate it just a little bit.
Authentication-Results: havoc.proulx.com;
dkim=pass (1024-bit key; unprotected) header.d=jwmhosting.com
header.i=@jwmhosting.com
header.b="VrBX7ycz";
dkim-atps=neutral
Authentication-Results: spamproc1-he-fi.apache.org (amavisd-new);
dkim=pass (1024-bit key) header.d=jwmhosting.com
From: Jerry Malcolm <techst...@malcolms.com>
Subject: SpamAssassin DKIM with Virtual Hosting
To: users@spamassassin.apache.org
DKIM-Signature: a=rsa-sha256;
b=VrBX7yc...;
s=primary; c=relaxed/relaxed; d=jwmhosting.com; v=1;
bh=8hMHDvIq9NslBFwLfwAyXNkqCHwBG5DBig+Bak+au5E=;
h=Message-ID:Date:Subject:From:To:MIME-Version:Content-Type;
In the signature it says s=primary that's the selector and
d=jwmhosting.com so that is the domain.
host -t txt primary._domainkey.jwmhosting.com
primary._domainkey.jwmhosting.com descriptive text "k=rsa; p=MIGfMA0..."
The h= headers were included in the signature created the b= and bh=
body hash of the message corresponding to the key obtained by that
selector in that domain. Then as the message passed through various
systems they added a tracing header that the dkim=pass status was
noted along the way. All of the way to my receiving system. Whew!
But as you can see with regards to your question is that it means that
one can mix and match the s= selector and d= domain with the message
header. On a technical level if I have example.net and example.org I
could have example.net sign a key for example.org. But is that really
useful?
As I understand it if the domain does not match the domain in the
"From:" header then it should be ignored as if the dkim signature were
not provided. But being a policy issue I am sure there will be
variances. And I only very imperfectly understand the policy, what it
allows and what it denies.
But that means that mail From: j...@joesflowers.com should have a DKIM
which signs for the JoesFlowers.com domain and the txt record should
post a key for selector._domainkey.joesflowers.com so that everything
matches.
I like using the check-a...@verifier.port25.com automated test
facility to report on configurations. Send a mail there and an
automated report will be returned.
Bob
