Opendkim on-(error) configs for production systems?

From: <>
Date: Tue, 21 Jun 2016 10:57:22 -0700

I've been happily using OpenDKIM (and SPF, and OpenDMARC) for a bit -- both for outbound signing and inbound verification/authentication.

Outbound works perfectly. At least according to all the tests I've run so far.

In bound mostly works, except in the case of a few mailing list message that keep getting sucked into Quaratine.

That's a 'few'. A VERY few. Not all by any stretch. Most work just fine.

My problem at the moment is that ones that are failing signature verification and getting quarantined are from 'big' vendors, IBM Marketing, FeedBlitz, etc.

I'm well aware of the issues , discussed for ages, of DKIM signing "vs" mailing list software. And I don't believe for one second that necessarily "big vendor" == done correctly.

That said, I'm starting with a review of my config -- and a thorough re-read of the docs.

Which brings me to my specific question:

If my goal is to NOT quarantine broken mailing lists' mail, but still not hobble my opendkim verification of inbound, what's a recommended production error policy for inbound DKIM verification?

Right now, mine happens to be

 On-BadSignature accept
 On-DNSError tempfail
 On-InternalError tempfail
 On-KeyNotFound accept
 On-NoSignature accept
 On-Security tempfail
 On-SignatureError reject

I've re-read the docs over and over, and still can't understand what a recommended config is.

One thing that matters is, as much as possible, I do NOT want to accommodate lazy/broken senders' (mis)configs. I understand that -- even though it's 2016 -- I may still have to. But that's where production recommendations will help.

Received on Tue Jun 21 2016 - 18:07:42 PST

This archive was generated by hypermail 2.3.0 : Tue Jun 21 2016 - 18:18:01 PST