myself wrote:
> No, there currently is no way to distinguish a temporary failure
> (e.g. a timeout due to network problems) from other DNS failures
> in SpamAssassin's DKIM plugin.

On the other hand, this isn't too bad.  A DKIM validity is commonly
associated with whitelisting or reputation, so a broken signature,
just like a DNS service failure, only means that some negative
score points are absent. A temporary failure need not be treated
any differently than a missing or invalid signature.

Contrary to the above, an ADSP policy check _is_ sensitive to
temporary failures. A SERVFAIL or a timeout should not cause
substantial score points - and it doesn't!  The DKIM plugin
treats DNS failures on obtaining a policy the same as 'unknown'
policy, i.e. it yields no penalty score points. Some fraud may
sneek through on serious DNS trouble, but then again, there
will be more serious issues elsewhere when such happens.

  Mark

Reply via email to