1

How can I configure opendkim to quarantine or reject (incoming) unsigned messages that instead should be signed because a key is present in the DNS?

opendkim.conf(5):

On-NoSignature (string)
   Selects the action to be taken when a message arrives unsigned.
   Possible values are the same as those for On-BadSignature.
   The default is accept.

I guess this is not the correct option to set, because it does not specify that the message was supposed to be signed (key present in the DNS), it just seems to refer to each "generic" unsigned message. (Am I wrong?)

Gabriele
  • 341
  • 1
  • 4
  • 14
  • 1
    It's not a standard way. Better to use DMARC (`opendmarc` milter), it was made *exactly* to solve the general problem you have in mind. DMARC is used by domain owner to tell you that it expects message to be either DKIM-singed or SPF-transferred, and in both cases to check the `From` header spoofing. Presence of DKIM records is not itself an obligation that all messages will be DKIM-signed. – kubanczyk Jan 19 '17 at 08:36
  • I can use DMARC with my own domains, but 90% of incoming emails have no DMARC set in their DNS, so in the meantime, I need to find a way to quarantine (or to tag, at least) messages with no DKIM signature that should instead be signed, for later review. Any ideas? – Gabriele Jan 19 '17 at 08:43
  • 1
    No DMARC record = "I allow my outgoing emails spoofed". Same for DMARC `p=none` record. If some domain has DKIM record, this means they already started to walk in a right direction, don't punish them for that! Maybe they got stuck implementing opendkim or other such software. – kubanczyk Jan 19 '17 at 08:57
  • You are absolutely right, but I just need a way to put those unsigned emails in the users' junk folder, so they will be able to review them and in case restore false positives. Of course DMARC would take precedence, but to my experience, most of unsigned emails (with DKIM in the DNS but no DMARC set) are actually junk. – Gabriele Jan 19 '17 at 09:03
  • ...and if somebody, a normal user, uses a third party mail relay/webmailer for perfectly legit emails under this domain you will filter it out as SPAM. Do you see the error here? – Marc Stürmer Jan 21 '17 at 09:45

1 Answers1

0

Using the On-NoSignature parameter is only for taking an action when no signature is present and will not achieve your goal of quarantining messages that are not signed but have DKIM records.

Your goal is likely not achievable for general incoming mail because the DKIM TXT record is configured per key with a unique selector in the host of the DNS record. Therefore a receiving server has no way to determine whether the domain an unsigned email is from expects there to be a DKIM record when being sent by the sending server (there may be multiple servers sending on behalf of a domain).

Paul
  • 3,037
  • 6
  • 27
  • 40