On 12/1/18 8:31 AM, Matus UHLAR - fantomas wrote: >> El vie., 30 nov. 2018 a las 3:06, Matus UHLAR - fantomas >> (<uh...@fantomas.sk>) escribió: >>> And, yes, there could be rule that catches message-id added by internal >>> server. Note that: >>> - Message-ID is not required (has SHOULD in RFC) >>> - many mailservers add message-id if it doesn't exist. > >>> >> https://pastebin.com/ktMUDLps > >>> not available anymore :-( > > On 30.11.18 10:55, Rick Gutierrez wrote: >> Hi , here it is https://pastebin.com/3TtsjXSX >> >> last trace , after my gateway analyzes it >> >> https://pastebin.com/76rNVnnp > > - is "mydomain.com" your real domain? > > - funny that Message-Id is signed in DKIM and DKIM is valid. > > hmmm more to think about later. >
DKIM_VALID only confirms it was signed correctly by any domain. Anyone can generate keys and DNS records to sign an email with a domain for which they control/manage the DNS. I can sign all emails leaving my edge mail servers with an ena.net or ena.com key. That only means you can be sure it is authentic (unmodified) and came from my servers. It doesn't mean I am allowed to send for that domain. DKIM_VALID_AU confirms the DKIM signature aligned with the author's From: header domain and is authentic (unmodified). This means something but is still not an indicator of ham or spam -- just that it came from that domain unmodified. If you trust the domain like paypal.com to not send UCE or spam from compromised accounts, then you can whitelist_auth that domain. -- David Jones