Reject outgoing message if no (valid) DKIM record has been added to the sending domain name

wez · January 1, 2024, 5:20pm

FWIW, I would just use the dkim verify function for this, at reception time. It returns an array of authentication results and you can look inside that for specific domains and use that to reject at reception time. The cost of this is not going to be significant, and the latency of it is likely less than calling out over the network to redis. Eliminating a storage system makes the architecture simpler, which makes it less likely to break.

I know that sending time can theoretically catch issues where things expire post-reception, but the window of opportunity for sending out messages with expired signatures is bounded by the maximum age you’ve set for messages in the queue (eg: typically 1 week). Since most messages are relayed “immediately”, the bulk of things that remain in-queue are unlikely to be successfully delivered anyway.

astounding-quail · January 1, 2024, 5:28pm

hmm, and then you mean this specific example? https://docs.kumomta.com/reference/message/dkim_verify/

wez · January 1, 2024, 5:29pm

yeah; if you want to verify that the incoming message is signed appropriately, exactly that. If you’re instead verifying that your own signatures are valid, then you’d call msg:dkim_verify and inspect the authentication results, but skip adding them to the message, as that is for the receiving MTA to do

astounding-quail · January 1, 2024, 5:31pm

yeah, cool, thanks!

wez · January 1, 2024, 5:40pm

note that either way, you want to loop over the results and take some action based on the domain and status of the entries that matter to your policy