Description^

DKIM stands for DomainKeys Identified Mail and is a method to assure that the sender of the mail is the responsible sender (eg the domain holder) and not a fraudulent third party (a spammer). In short: the domain holder deposits a public key in a specific TXT zone record. The outgoing MTA signs part of the mail (mostly: some headers) of the outgoing mail with the private key. The receiving MTA can validate the mail (the signed parts) against the public key. Voila: the sender is verified, cause only the original domain owner has the private key.

Keep in mind: any spammer can get himself a legal domain and deposit his public key there. Receiving a valid signed mail does not imply at all, that it is not spam. Only the opposite, receiving a not validated mail, might denote the mail is spam.

Two modes^

The DKIM module can run in two modes:

1. Sign mode
   All mails passing will be signed. Used for outgoing-only MTAs or at least in the correct position for outgoing.
2. Verify mode
   All mails will be verified. Used for receiving MXs.

Critics^

Not all parts of the mail can be signed, because the mail has to be transported and any mail server on the way should be ably to inject (not modify) headers, eg Received or some spam filter X-headers. Thus, any spammer can inject at least some headers. Furthermore, DKIM does not sign the body most time, because it might be altered or re-encoded (eg 8bit -> quoted-printable), which is also a huge loop hole for altering the message.

Configuration^

Please read before:

1. default configuration
   • disable
   • max_size

enable_verify^

Enables verification mode. All passing mails will be checked for a valid signature.

enable_sign^

Default: 0
Allowed values: Bool (0 or 1)
Required: no

Opposite of enable_verify. You cannot activate both. This option requires sign_key and/or sign_key_dir.

sign_key^

Default: -
Allowed values: String (path to private key)
Required: no

Path to signature key. This key will be used as default key, as long as sign_key_dir is not used or no matching key in sign_key_dir is found.

sign_key_dir^

Default: -
Allowed values: String (path to private key directory)
Required: no

Path to signature key directory. Expects keys named “domain.key” whereas domain is the full domain name (eg blog.foaa.de).

sign_algo^

Default: rsa-sha1
Allowed values: String
Required: no

What algorithm to be used for signing. Default is rsa-sha1, could be rsa-sha256 and alike.

sign_method^

Default: relaxed
Allowed values: String
Required: no

What method to be used. There are relaxed and simple.

enable_verify^

Default: 0
Allowed values: Bool (0 or 1)
Required: no

Whether to enable DKIM verification.

weight_pass^

Default: 15
Allowed values: Integer
Required: no

Scoring for passed mails, meaning: there is a DKIM verification header and the mail can be verified.

weight_fail^

Default: -50
Allowed values: Integer
Required: no

Scoring for failed mails, meaning: there is a DKIM verification header and the mail can NOT be verified.

weight_invalid^

Default: -25
Allowed values: Integer
Required: no

The signature cold not be checked because of the signature header or the public key record.

weight_temperror^

Default: 0
Allowed values: Integer
Required: no

Some temp error, eg the public key could not be retrieved.

weight_none^

Default: 0
Allowed values: Integer
Required: no

There is no signature. Therefore no check.

Performance^

Runtime: average 0.01 secs (verify)

Postfix configuration^

If you want to enable DKIM, you have to disable the automatic output conversion, or postfix will encoding all 8bit, binary and so on to quoted-printable (7bit). This can be achieved by this:

-o disable_mime_output_conversion=yes