Who is using DKIM signing

Gary Mills mills@cc.umanitoba.ca
Sat Dec 8 22:36:06 UTC 2007

I finally have dkim-milter running on our production e-mail server,
ahead of the dccm milter.  It's taking an insignificant portion of
the CPU cycles, and seems reliable.  Here's a typical sendmail log
entry, showing sendmail adding a header:

  Dec  8 14:44:04 electra sm-mta[10083]: [ID 801593 mail.info] lB8KhnwS010083: Milter insert (1): header: Authentication-Results:  electra.cc.umanitoba.ca; dkim=pass (1024-bit key) header.i=@gmail.com

Here's a summary from the same log, showing the frequency of the `dkim='
and `header.i=' fields and cut off at six copies:

 467 pass @gmail.com
  85 pass @googlegroups.com
  56 pass @google.com
  50 neutral @gmail.com
  41 fail @arizonajoin.com
  34 pass @dwellroute.com
  18 fail @accesshello.com
  17 pass @mentalstruct.com
  15 pass panel@i-say.com
  14 pass @immensedispersalblitz.com
  12 permerror @adobesystems.com
  10 permerror @springer.delivery.net
  10 pass @goodsclassic.com
   9 pass @immensetradeblitz.com
   8 pass @immensetrafficblasting.com
   8 pass @googlemail.com
   7 permerror newsmax@reply.newsmax.com

`dccm' can whitelist these messages, based on the
`Authentication-Results' header.  Some of them look suspicious, but
some certainly could be used for whitelisting.  Essentially, this
means delegating responsibility for user behavior to the people that
own the domain.  I notice that when somebody from @gmail.com sends to
us, the result code is `pass', but when they send through an external
mailing list to us, the code changes to `neutral'.  Some also have
`fail', meaning that verification failed, and some have `permerror',
meaning that part of the signature was missing or in error.

It will really require a third party to report the spam reputation
of each domain owner before we can use DKIM signature for wholesale
whitelisting of e-mail messages.

-Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-

More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.