Yea, I had already looked in there, they aren't there. I eventually found them in


Looks like the defaults are,

  score DKIM_ADSP_ALL          2.5
  score DKIM_ADSP_DISCARD     25
  score DKIM_ADSP_NXDOMAIN     3

  score DKIM_ADSP_CUSTOM_MED   3.5

For right now, I'm going to adjust a few of these and also adjust some of the SPF settings. Here's what I'm trying right now in my /etc/spamassassin/

#Adjust scores for SPF FAIL
score SPF_FAIL 4.0
score SPF_HELO_FAIL 4.0
score SPF_SOFTFAIL 3.0
#adjust DKIM scores
score DKIM_ADSP_ALL 3.0

Thanks, Gary

On 6/2/2020 12:29 PM, Eric Broch wrote:


The stock scores for spamassassin are in /usr/share/spamassassin/*.cf.

# grep DKIM /usr/share/spamassassin/*.cf

For your local configuration you can override the scores in /etc/mail/spamassassin/ on COS8 or /etc/spamassassin/ on COS7. I know THAT one can manipulate scores to fit their needs with spamassassin, however, I have NEVER done it. This is me sloughing it off. ;-) The reason I like spamassassin DKIM verification is because it doesn't just reject bad DKIM which as you mentioned can have bad effects but scores it with other things for rejection.

If you find some configuration that suits you and your system I'd we willing to post in on the QMT web as a stock 'QMT' setting.


On 6/2/2020 10:11 AM, Gary Bowling wrote:

Thanks Eric. What is the config setting in to change the DKIM scoring? I don't find any setting in my /etc/spamassassin/ directories that sets that score. Is the scoring for the stock EPEL different from what we have? I assume not since you said you didn't tailor any of that in QMT.

I think that's a good move to use the stock spamassassin from EPEL.

As DKIM seems to be more pervasive these days, I might be tempted to increase the score in spamassassin if I can find the setting.

Thanks, Gary

On 6/2/2020 11:56 AM, Eric Broch wrote:

Hi Gary,

My intent, which I articulated in another email on the list and instead of reinventing the wheel, was exactly as you deduced in your email, that is, to allow spamassassin to score DKIM which it does; however, I have not done anything as far as a tailoring configuration for QMT and was content to allow users that scoring decision. My goal is to drop the specially created QMT spamassassin (and clamav) rpm, which I've done in CentOS 8, and use the stock rpm from EPEL.

I think you can override default scoring for DKIM in /etc/spamassassin/ on COS7 and /etc/mail/spamassassin/ on COS8.


On 6/2/2020 8:09 AM, Gary Bowling wrote:

What is everyone doing these days for DKIM verification, i.e. checking incoming mail for DKIM signatures?


Many years ago, when DKIM was first introduced to the toaster (maybe it was even in the Shupp's toaster days), I installed and turned on incoming DKIM verification. Initially I set it to "reject" unsigned email and of course that was a disaster as it blocked most everything.

Back then, the choice was to have it verify emails, but not block them, or remove verification. I made the decision that checking without doing anything was a waste of resources, so I removed any DKIM verification. I don't remember how I did all this, as it was years ago.

Then at some point DKIM verification was added to spamassassin, or maybe it was always there but we didn't implement the plugin. At any rate, spamassassin DKIM verification was added to the toaster.

Which seems like a good thing as spamassassin can assign a score to DKIM verification which plays into whether a msg is marked as spam or not. The problem with it though, is the score for NOT being verified is very low, something like .01, which essentially does nothing. I can't find any "user" added parameter that would increase that score and don't really know if that's a good thing to try to do. If it were a good thing, I would think it would be a commonly used setting, which doesn't appear to be the case.

What to do in 2020?

So the question is, what to do about DKIM verification in 2020? From the way my server is configured it appears to be useless. But maybe that's because I don't know how to best configure it.

Side Note

On a side note, I do use outbound DKIM and have DNS set up, etc. I have no idea if this is useful or not, but I'll leave it, hoping that somehow this reduces my probability of being rejected by some server out there. But from what I can tell, it really does nothing. Seems to me DKIM is nothing more than an exercise in futility and extra work for postmasters :)

Gary Bowling
The Moderns on Spotify
--------------------------------------------------------------------- To unsubscribe, e-mail: For additional commands, e-mail:
--------------------------------------------------------------------- To unsubscribe, e-mail: For additional commands, e-mail:
--------------------------------------------------------------------- To unsubscribe, e-mail: For additional commands, e-mail:

Reply via email to