RE: What does DKIM-based rate limiting do?

From: Murray S. Kucherawy <>
Date: Tue, 5 Jul 2011 11:11:30 -0700

> -----Original Message-----
> From: [] On Behalf Of Gary Mills
> Sent: Tuesday, July 05, 2011 7:34 AM
> To:
> Subject: What does DKIM-based rate limiting do?
> When I examined opendkim-2.4.1, I noticed this configure option:
> --enable-rate_limit support for DKIM-based rate limiting
> What does this do exactly? We run j-chkmail solely to provide SMTP
> rate limiting. It maintains a database of all IP addresses used for
> client connections over a time interval, applying rate limiting to
> those that exceed configured values. Does Opendkim now do something
> similar?

It's experimental code included as a rudimentary hook to an unspecified domain-based reputation system, which is the obvious follow-on to DKIM. As such, it's still undocumented because it might change and might even be broken.

The concept: You provide a data set that maps domain names to integers, which represent daily flow limits for each domain. The data set is populated using a mechanism of your choosing. OpenDKIM maintains a temporary hash table mapping domain names to counts of messages bearing valid signatures from those domains, with the count resetting daily. If a single message would cause the stored count to exceed the integer for a domain name in the data set you provided, the message is temp-failed.

There's no guarantee this is a good or right solution to much of anything; it's merely an experimental hook. The other half of the experiment, which populates the data set containing the limits, is on a branch that hasn't been merged with the main code branches yet because I'm still tinkering with it when I have time to do so.

Received on Tue Jul 05 2011 - 18:11:44 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:18 PST