DKIM Rule – SpamAssassin

I put together a new SpamAssassin rule that will help identify spam from spoofed email addresses.

Some email providers always sign email with DKIM or DomainKeys … based on this assumption, if you get a message from one of those domains and it isn’t signed, you can assume its more likely to be spam.

This particular rule operates on the assumption that all mail from Yahoo & Gmail will be signed.  It does not, however, raise the score a huge amount … because it’s just more LIKELY to be spam if it’s not signed … it’s not guaranteed to be spam. Some people may use the Yahoo or Gmail account’s in the from address, but not actually send from that service.

As an added bonus, I created a rule that simply identifies spam that is expected to be signed and actually is.

To add other domains to the list, modify the  __FROM_DKIM_SIGNING_DOMAIN rule.

header __FROM_DKIM_SIGNER from:addr =~ /yahoo\.com|gmail\.com|googlemail\.com|google\.com/i

meta NOT_SIGNED_BUT_EXPECTED __FROM_DKIM_SIGNER && !(DKIM_SIGNED && DKIM_VALID)
describe NOT_SIGNED_BUT_EXPECTED Message should have been signed by DKIM but wasn't
score NOT_SIGNED_BUT_EXPECTED 5

meta SIGNED_AND_EXPECTED __FROM_DKIM_SIGNER && DKIM_SIGNED && DKIM_VALID
describe SIGNED_AND_EXPECTED Message should be been signed by DKIM and was
score SIGNED_AND_EXPECTED -0.1

Caveat: This rule is by no means perfect … if you have any suggestions for improvement, feel free to let me know.

Related posts ...
Well, our good friends at Yahoo are at it again. Once again they are deferring
It's nice that many of the major mail providers give you the ability to report
As I mentioned before ... even though I'm participating in Yahoo's Email Complaint Feedback Loop,
While doing a little searching, I found some information on email feedback loops for other

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.