Opendkim with dnssec some numbers

mehis very understated instead of warnings you get a key size and header rather than information (my blog) . I installed unbound on debiam Jessie for dnssec (my blog)  and I set a config line in opendkim.conf.

Underwhelming although with my old dns supplier i can finally do 4096 key records. So its not all bad news.  However when i went diy (my blog) i had some fun and games as the ” is parsed as \” so once you know that then the key will be valid.

Interestingly spamcop does not like 4096 keys

dkim=permerror (key too large)

Oh well – I also set up log files with

opendkim-stats /var/log/<file>

Your see a lot of DNSSEC status: INSECURE from inbound email.
Yep we all be muppetsFor a while i have been saving dkim statistics.

It looks like

Job x at host (size y)
received via ipv4.addr at date
from domain = '.paypal'
ATPS not checked
Signature 1 from paypal
PASSED
signed bytes: (whole message)
Signature properties:
Key properties:
DNSSEC status: SECURE

tickThat’s interesting for me (my blog) although rare, here is more common example.  Quite why i am on a scumbag firm (my blog) mailing list was news to me, but then it did provide me with a dnssec example.

Job x at host (size y)
received via 67.195.87.236 at date
from domain = 'yahoo.com'
ATPS not checked
Signature 1 from yahoo.com
PASSED
signed bytes: (whole message)
Signature properties:
Key properties:
DNSSEC status: INSECURE

crossAn error looks like

Signature 1 from remote mailer
ERROR
signed bytes: (whole message)
Signature properties:
Key properties:
DNSSEC status: INSECURE

Anyhow with 400 messages processed, only one had dnssec, 345 had correct dkim signatures an 86% rate.

goldstarOf the 55 failures most came from the same hosts with the servers with config issues. Mind you having dkim does not mean its going to a large key. so 345 of those messages barely do dkim.

Mind you an 86% rate seems a good start. Exciting stuff this!.

One response

  1. Pingback: dnssec in email | Bananas in the Falklands

by golly but...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s