Navigation:  Security Menu > Security Settings > Sender Authentication > DomainKeys Identified Mail >

DKIM Verification

Print this Topic Previous pageReturn to chapter overviewNext page

Use this screen to configure MDaemon to verify DomainKeys Identified Mail (DKIM) and/or DomainKeys (DK) signatures in incoming remote messages. When this feature is enabled and an incoming message has been cryptographically signed, MDaemon will retrieve the public key from the DNS record of the domain taken from the signature and then use that key to test the message’s DKIM or DK signature to determine its validity.

If the signature passes the verification test, the message will continue on to the next step in the regular delivery process. Additionally, if the domain taken from the signature also appears on the Approved List, the message’s Spam Filter score will receive a beneficial adjustment.

If a message has no signature, or if the signature is invalid, MDaemon will retrieve the Author Domain Signing Practices (ADSP) record of the domain in the From header to determine whether or not all of that domain’s messages should be signed. If the ADSP record indicates that a valid signature is required and the public key indicates that the signer is not merely testing DKIM, the message will receive a "Fail" result and be treated accordingly—it can be rejected outright or accepted but have its Spam Filter score adjusted upward.

Finally, if a site's ADSP record uses a syntax unknown to MDaemon, if no record exists at all, or if the ADSP option located on the DKIM Options screen is disabled, then no punitive measures will be taken. The unsigned or invalidly signed message will be treated as if the domain signs only some of its messages.

For more on DKIM see: http://www.dkim.org/

DKIM / DomainKeys Verification

Verify DomainKeys signatures

Click this option to enable DomainKeys verification of incoming remote messages.

Verify DomainKeys Identified Mail (DKIM) signatures

Click this option to enable DomainKeys Identified Mail verification of incoming remote messages. If you have configured MDaemon to verify both DKIM and DK signatures, and a given message contains both types of signatures, then no DK verification will be attempted if a DKIM signature produces a "pass" result. This option is required if you have SecurityPlus for MDaemon installed and wish to use its Urgent Updates feature.

Verification Outcomes

Messages which are missing a required valid signature:

The following punitive measures can only be applied to messages when the Author Domain Signing Practices (ADSP) option is enabled on the DKIM Options screen. When the ADSP option is disabled, no messages will be rejected or scored negatively by DKIM verification, regardless of these settings.

...send 550 error code

When the ADSP record indicates that a valid signature is required, any message without one will be rejected—MDaemon will return the 550 code and reject the message during the SMTP process. If, however, the signer’s public key indicates that the signer is merely testing DK/DKIM, the message will be processed normally.

...and then close the connection

Click this option if you wish to close the connection to the sending server when a message is rejected according to the previous option. If this option is disabled then the message will still be rejected according to the previous option but the connection will be allowed to continue.

...add this to the Spam Filter score

When the ADSP record indicates that a valid signature is required, any message without one will have this value added to its Spam Filter score. If, however, you have enabled the "...send 550 error code" option above, the message will be rejected as invalid without having to be processed through the Spam Filter. In all cases, if the signer’s public key indicates that the domain is “testing,” no action will be taken—the Spam Filter score will not be modified.

Using this option could still cause a message to be rejected if the resulting Spam Filter score exceeds the SMTP rejection threshold designated on the Spam Filter screen.

Messages with valid signatures from a domain listed on the ‘Approved List’:

...add this to the Spam Filter score

The value specified here will be added to the Spam Filter score of any DK or DKIM signed messages that receive a "Pass" result when the domain taken from the signature appears on the Approved List. When a message’s signature is verified but the domain is not on the Approved List, the Spam Filter score will not be adjusted—the verified signature will have no effect on the score. However, normal Spam Filter processing and scoring will still be applied to that message.

Ordinarily the value specified here should be a negative number so that the spam score will be reduced for messages containing a valid cryptographic signature when the domain taken from the signature is on the Approved List. MDaemon’s default value for this option is -0.5.

Verification Options

Don't verify messages from authenticated sessions

Click this option if you want to exempt messages from cryptographic verification when the message session is authenticated. Authenticated sessions include those verified via SMTP Authentication, POP before SMTP, or the IP Shield.

Connections from trusted IPs are exempt from cryptographic verification

Use this option if you want connections from trusted IP addresses to be exempt from cryptographic verification.

Cache verification results

Click this option if you wish to cache the DK/DKIM information found during the DNS lookup. By temporarily caching the information contained in a domain's DNS record, you can increase the efficiency of processing DK/DKIM signed messages that arrive in the near future from the same domain.

Cache

This button opens the DomainKeys cache. When using the Cache verification results option above, this file will list any currently cached information.

White list

Click this button to open the exception list. Messages originating from any IP addresses specified on the list will not be subject to cryptographic verification.

Authentication-Results header

Whenever a message is authenticated using SMTP AUTH, SPF, DomainKeys, or DomainKeys Identified Mail, MDaemon will insert the Authentication-Results header into the message listing the results of the authentication process. If MDaemon is configured to accept messages even when they fail authentication, then the Authentication-Results header will contain a code to identify the reason for the failure.

There is ongoing work via the Internet Engineering Task Force (IETF) on this header and the authentication protocols mentioned in this section. You can find more information on this at the IETF web site, located at: http://www.ietf.org/.

DK/DKIM Headers in Mailing List Messages

By default, MDaemon strips DK/DKIM signatures from incoming list messages because those signatures can be broken by changes made to the message headers or content during list processing. If you would like MDaemon to leave signatures in list messages, you can configure it to do so by manually setting the following option in the MDaemon.ini file:

[DomainKeys]

StripSigsFromListMail=No (default is "Yes")

 

See: