DKIM signatures with DCC

Gary Mills
Mon Oct 26 19:17:35 UTC 2009

I've been using DCC to whitelist messages by DKIM signature for some
time now, and have been quite pleased with the results.  I keep the
sendmail headers in a separate file that's included into the
`whiteclnt' file.  They look like this:

    ok      substitute Authentication-Results; dkim=pass (1024-bit key)
    ok      substitute Authentication-Results; dkim=pass (1024-bit key)

DKIM signature validation is extremely useful for spam control because
it prevents forgeries.  Any signed and validated message from is guaranteed to come from that
organization.  Forged messages from the same address will not pass
validation, even if they are DKIM-signed.  This is a great advance.
It eliminates all the spam that comes from herds of compromised home
computers.  This is especially important for phishing attempts.

Unfortunately, the presence of a valid DKIM signature does not
indicate that the message is not spam.  It only indicates that the
sending domain employs DKIM signatures.  E-mail marketing companies,
each with thousands of domain names, are signing their messages in
hopes that they will appear more legitimate.  This means that there's
no way to tell from the domain name itself if an organization does not
send spam, like a bank or a university, or if they are one of those

So far, I've only accumulated twelve domain names that I trust not to
send spam.  This number has to be greatly expanded to make DKIM
signatures truely useful.  How can we do this?  The usual answer seems
to be a reputation database of domain names, but I've still not found
such a thing.  I'm certainly willing to pay for it.  This is the
missing piece in the puzzle.

-Gary Mills-        -Unix Group-        -Computer and Network Services-

More information about the DCC mailing list

Contact by mail or use the form.