DKIM

   DomainKeys Identified Mail (DKIM)

EnableDomainKeys

This setting enables Yahoo Domain Keys processing for received email. Domain Key processing involves verfiying incoming email using cryptogtraphic signatures. This can help verify the identity of senders, and therefore ensure that forged or spoofed email can be eliminated at the earliest opportunity. It must look up domain keys for signed email from a DNS host so there may be some latency introduced when receiving email. Using Domain Key processing may have some impact on CPU usage as it needs to verify each signed email using encryption. For further information please consult the Yahoo Domain Keys pages: http://antispam.yahoo.com/domainkeys/

Default:off

Policy Breach

Domain Keys specifies that signing domains should publish a policy record specifying how they sign email. If an email is NOT signed the policy for that domain is looked up and the email checked for breaches to the policy. For example, a policy may state that ALL email from the domain must be signed. In this case any unsigned email from that domain is either blocked (and quarantined) or rejected at the SMTP level as soon as it is submitted.

Example interface:

Options:Accept, Block, Reject

Default:Block

Invalid Signature

If a Domain Key signed email is enountered, its Domain Key signature is verified against the email headers and content. If the signature doesn't match (so the email may be forged) this setting selects the action to take. Remember that in some cases email may have been modified or corrupted on their way to your server (e..g if via a mialing list or news list server), so sometimes signatures fail for legitimate email. In addition bear in mind that anyone can sign email from their own domain: so even spammers sometimes sign email with Domain Keys! Domain key signatures verify that the email does indeed come from the specified domain, not that the domain itself is one you wish to receive email from!

Example interface:

Options:Accept, Block, Reject

Default:Block

Require signatures for

Currently many domains have policies that state that only SOME email may be signed, and that Domain Keys is in'testmode'. These policies mean that email cannot be rejected according to policy breaches if it lacks a Domain Keys signature. If you wish to insist that selected domains MUST send Domain Key signed email, add the domains to the list. BE SURE TO CHECK that the domains you add are indeed adding Domain Key signatures to their outgoing email and intend to continue to do so!

Default:yahoo.com,yahoo.co.uk,gmail.com,e-mail.egg.com,btinternet.com

Missing required signature

Once you have listed domains for which you REQUIRE a signature (regardless of policy), use this setting to select the action to take for email with no signatures from those domains.

Example interface:

Options:Accept, Block, Reject

Default:Block

Missing Key

Sometimes a signed email points to a domain which doesn't have a public key DNS entry published. This means the signature CANNOT be verified. Often these are SPAM email.

Example interface:

Options:Accept, Block, Reject

Default:Block

Revoked Key

Sometimes a signed email points to a domain for which the key has been revoked. Use this setting to select an action for such email.

Example interface:

Options:Accept, Block, Reject

Default:Block

Invalid MIME

Sometimes a signed email contains MIME syntax errors. Use this setting to block such email.

Example interface:

Options:Accept, Block, Reject

Default:Block

DomainKeyDebug

Due to the complexity of Domain Key processing this features allows the full MIME of Domain Key signed email to be dumped to disk if the verification fails. This will allow better debugging of what may be wrong with the MIME of the email in question.

Default:off