Jerry Malcolm wrote: > I have a question about how SA's DKIM rules apply to virtual hosting. If > "myhosting.com" hosts and sends mail for "JoesFlowers.com", does SA check > the signature for "myHosting.com", for "JoesFlowers.com", or both? Or is > there some criteria to determine which domain name should have the DKIM > signature? Is there a penalty score if one or the other is missing?
Let's pick apart your message to the list and see! :-) I'll abbreviate it just a little bit. Authentication-Results: havoc.proulx.com; dkim=pass (1024-bit key; unprotected) header.d=jwmhosting.com header.i=@jwmhosting.com header.b="VrBX7ycz"; dkim-atps=neutral Authentication-Results: spamproc1-he-fi.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=jwmhosting.com From: Jerry Malcolm <techst...@malcolms.com> Subject: SpamAssassin DKIM with Virtual Hosting To: users@spamassassin.apache.org DKIM-Signature: a=rsa-sha256; b=VrBX7yc...; s=primary; c=relaxed/relaxed; d=jwmhosting.com; v=1; bh=8hMHDvIq9NslBFwLfwAyXNkqCHwBG5DBig+Bak+au5E=; h=Message-ID:Date:Subject:From:To:MIME-Version:Content-Type; In the signature it says s=primary that's the selector and d=jwmhosting.com so that is the domain. host -t txt primary._domainkey.jwmhosting.com primary._domainkey.jwmhosting.com descriptive text "k=rsa; p=MIGfMA0..." The h= headers were included in the signature created the b= and bh= body hash of the message corresponding to the key obtained by that selector in that domain. Then as the message passed through various systems they added a tracing header that the dkim=pass status was noted along the way. All of the way to my receiving system. Whew! But as you can see with regards to your question is that it means that one can mix and match the s= selector and d= domain with the message header. On a technical level if I have example.net and example.org I could have example.net sign a key for example.org. But is that really useful? As I understand it if the domain does not match the domain in the "From:" header then it should be ignored as if the dkim signature were not provided. But being a policy issue I am sure there will be variances. And I only very imperfectly understand the policy, what it allows and what it denies. But that means that mail From: j...@joesflowers.com should have a DKIM which signs for the JoesFlowers.com domain and the txt record should post a key for selector._domainkey.joesflowers.com so that everything matches. I like using the check-a...@verifier.port25.com automated test facility to report on configurations. Send a mail there and an automated report will be returned. Bob