Re: Rejected messages from the mailing list

From: Alessandro Vesely <>
Date: Mon, 02 Aug 2010 14:37:39 +0200

On 02/Aug/10 12:29, SM wrote:
> One of the subscribers to this mailing list is rejecting messages from
> the list. The remote MTA returns a "550 DKIM signature required by
> policy" reply.

Ooops, it's me, or someone else having enabled ADSP on zdkimfilter.

BTW, source now says "554 DKIM signature required by ADSP" --not released yet.

> The rejection is triggered when the domain used by the poster has a
> "dkim=all" ADSP policy. This mailing list adds a DKIM signature to
> the message but it does not alter the message or remove the
> existing DKIM signature.

It breaks most of the times, though. (About 3:1 in my current folder)

> It seems that the DKIM verifier is only checking the top-most DKIM
> signature instead of all the DKIM signatures. That would explain the
> policy rejection.

Zdkimfilter has whitelisting options, and orders signatures according to their domain being author, whitelisted, sender, helo, using dkim_set_final. Then, the library delivers the first verified signature. However, I had forgotten to whitelist :-/

> As this mailing list is about discussing about OpenDKIM and also
> debugging it, it would be helpful if you do not apply ADSP policy for
> mail traffic from this mailing list.

I've now disabled ADSP actions, as it should be --and is, by default. Obviously, I cannot rely on remembering to whitelist each list. In addition, whitelisting by signing domain wouldn't work in case a signature fails. (Apparently, SPF is more reliable for whitelisting.)

The message I'm replying to, for example, has a failed signature. I suspect the Content-Type field. What I received has:

  dkim=fail (signature verification failed)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;
        s=mail2010; t=1280745029; x=1280831429;
Message-Id: <>
Date: Mon, 02 Aug 2010 03:29:22 -0700
From: SM <>
Subject: Rejected messages from the mailing list
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
List-Help: <>
List-Unsubscribe: <>
List-Id: <>
List-Subscribe: <>
List-Owner: <>
List-Post: <>
Received on Mon Aug 02 2010 - 12:37:55 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:19:48 PST