myself wrote: > No, there currently is no way to distinguish a temporary failure > (e.g. a timeout due to network problems) from other DNS failures > in SpamAssassin's DKIM plugin.
On the other hand, this isn't too bad. A DKIM validity is commonly associated with whitelisting or reputation, so a broken signature, just like a DNS service failure, only means that some negative score points are absent. A temporary failure need not be treated any differently than a missing or invalid signature. Contrary to the above, an ADSP policy check _is_ sensitive to temporary failures. A SERVFAIL or a timeout should not cause substantial score points - and it doesn't! The DKIM plugin treats DNS failures on obtaining a policy the same as 'unknown' policy, i.e. it yields no penalty score points. Some fraud may sneek through on serious DNS trouble, but then again, there will be more serious issues elsewhere when such happens. Mark