DKIM becomes more official

Vernon Schryver
Mon Oct 22 20:51:35 UTC 2007

> From: Gary Mills 

> I've just finished building and testing dkim-milter.

> The DKIM milter runs before the dccm milter.  It does use macros to
> communicate with the main sendmail process, but it doesn't appear to
> set macros specifically for subsequent milters.  It does create one
> header; here's an example for when verification succeeds:
>     Authentication-Results:; dkim=pass (1024-bit key)
> This was for e-mail from the domain with verification on
> host setup01.  Can this be used directly by the dccm milter?  

You can tell dccm, dccifd, or dccproc to pay attention to such "subsitute"
header lines with -SAuthentication-Results, as with -SList-ID and
others in DCCM_ARGS in the prototype dcc_conf file visible at

Does that header change depending on the sender?  If so, each sender
would require distinct /var/dcc/whiteclnt or
/var/dcc/user/local/$USER/whiteclnt whitelist lines of the form

    ok substitute Authentication-Results setup01....

Depending on what you want to do, those distinct whiteclnt entries
could be an advantage.

This does not answer the question of whether dccm sees the headers
added by dkim-milter.  To answer that question, I would run dccm
with -SAuthentication-Results, ensure that enough logging is on,
and look in /var/dcc/log or per-user log files to see if there are
checksums that say they are for Authentication-Results headers.

>                                                               I'd
> prefer something more automatic, with a spam reputation database
> interposed.

Could those individual entries in whiteclnt file(s) serve as your
"spam reputation database"?

>              I haven't yet done any analysis on how this could be
> accomplished, but it would be good for users (or the administrator)
> to have a say in the matter.  I suppose that the RBL support in dccm
> might be a suitable model.

I don't see the connection to the RBL support, but those 
"ok substitute Authentication-Results ..." lines can be in individual
user whiteclnt files.  The proof-of-concept CGI scripts should do the
right thing to support point-and-click on log files when dccm or dccifd
is running with -SAuthentication-Results.

Current versions of the DCC client code allow per-user control of
checksum thresholds in whiteclnt files including through the CGI scripts,
not to mention individual white- or blacklisting of checksums of headers.
You cannot control the -SAuthentication-Results threshold separately
from other substitute headers.

Perhaps with all of this talk of "reputations," maybe it would be ok
if I mention the DCC Reptuations supported by the commercial version
of the code.  My arrangement with Commtouch has changed.  I'm still
constrained by the patent, but in many cases I can now sell licenses
to the commercial DCC code on terms that I hope are more friendly.

Vernon Schryver

More information about the DCC mailing list

Contact by mail or use the form.