Rob McEwen wrote:
All I know for sure is this - for MANY legit emails - DKIM fails
some days later
On 28.02.23 12:52, Kris Deugau wrote:
Hours.
I've recently learned about this, in the context of trying to
welcomelist legitimate senders. A 2-hour validity window for the DKIM
signature is pretty common. :(
I hope these senders expire their e-mail 1.5 hours after sending...
This should be avoidable by using opendkim at SMTP time, and using
Mail::SpamAssassin::Plugin::AuthRes plugin in the way that DKIM rules aren't
rechecked if they are
I have SA 4.0 installed and Mail::SpamAssassin::Plugin::AuthRes available.
However, I don't see AuthRes plugin mention in .pre files nor in SA rules.
I will try to load it to see if it works.
- when it had originally worked/validated at the time the
message was sent. I see this often in the real world when I rescan a
message to try to verify the impact on a message that a spam
filtering change caused - then notice that a very legit email that
original passed DKIM at the time the message was received - now
suddenly fails DKIM during this days-later rescan - and without ANY
changes to the message itself. I think that this is most likely
caused by DNS records for that DKIM being changed/updated.
On most of those messages I expect it's an attribute set on the
signature, not a rotated DKIM record.
Look for "t=..." and "x=..." in the DKIM-Signature header. t= is the
timestamp when it was signed, x= is when it expires.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
He who laughs last thinks slowest.