DKIM signatures with DCC

Chris Aseltine
Tue Oct 27 01:44:09 UTC 2009

Vernon are you going to answer?

"Gary Mills" <> writes:

> I've been using DCC to whitelist messages by DKIM signature for some
> time now, and have been quite pleased with the results.  I keep the
> sendmail headers in a separate file that's included into the
> `whiteclnt' file.  They look like this:
>     ok      substitute Authentication-Results;
>     dkim=pass (1024-bit key) ok     
> substitute Authentication-Results; dkim=pass
> (1024-bit key)  
> DKIM signature validation is extremely useful for spam control because
> it prevents forgeries.  Any signed and validated message from
> is guaranteed to come from that
> organization.  Forged messages from the same address will not pass
> validation, even if they are DKIM-signed.  This is a great advance.
> It eliminates all the spam that comes from herds of compromised home
> computers.  This is especially important for phishing attempts.
> Unfortunately, the presence of a valid DKIM signature does not
> indicate that the message is not spam.  It only indicates that the
> sending domain employs DKIM signatures.  E-mail marketing companies,
> each with thousands of domain names, are signing their messages in
> hopes that they will appear more legitimate.  This means that there's
> no way to tell from the domain name itself if an organization does not
> send spam, like a bank or a university, or if they are one of those
> marketeers.
> So far, I've only accumulated twelve domain names that I trust not to
> send spam.  This number has to be greatly expanded to make DKIM
> signatures truely useful.  How can we do this?  The usual answer seems
> to be a reputation database of domain names, but I've still not found
> such a thing.  I'm certainly willing to pay for it.  This is the
> missing piece in the puzzle.

More information about the DCC mailing list

Contact by mail or use the form.