Hello
Bill Cole wrote (2025-11-12 17:52):
A valid DKIM signature is not very useful *by itself* in deciding
whether a particular message is ham or spam. Spammers know how to
set up DKIM. That would normally be a reason to make it an unscored
sub-rule (i.e. __DKIM_VALID) however because we believed users may
want to know that without needing to dig too deeply, so we made it
a rule on its own. Giving it a -0.1 score is just a way to make it
essentially meaningless on its own. Arguably it should be -0.01,
but that shows up in some cases as "-0.0" which would be confusing.
I understand this and it's ok. I just want to get DKIM_INVALID if the
signature is invalid. I am trying to find out why the results differ and
who is right, opendkim or SA's dkim-check. opendkim itself actually
works for me with regular emails, even if two signatures have to be
checked.
Matija Nalis wrote (2025-11-12 23:39):
Other than that: Which SA version? Is that Authentication-Results
from your SA or something else? What is its full output? Are there
other headers related to authentication?
spamassassin -V
SpamAssassin version 4.0.1
running on Perl version 5.36.0
Authentication-Results is written by Amavis after SA, that's why SA
can't see it to match a rule on it.
And especially, what does "spamassasin -D -t" say when you pass that
message through it?
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
valid
0.2 DKIM_INVALID DKIM or DK signature exists, but is not valid
My plugin (using Mail::DKIM::Verifier)
1.5 DKIM_FL At least one DKIM signature failed (custom)
Here I offer good examples from yesterday: same spammer, same mail
structure, text with different wording, but same content. The result of
opendkim was "bad signature" for both mails, but once valid and invalid
for SA!
dkim invalid
https://paste.debian.net/plain/1408324
dkim valid
https://paste.debian.net/plainh/d2da8c37
Links expire in 24 h
Thanks for any hint!
Thomas B
