.\" Automatically generated by Pod::Man 4.10 (Pod::Simple 3.35)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
.    if \nF \{\
.        de IX
.        tm Index:\\$1\t\\n%\t"\\$2"
..
.        if !\nF==2 \{\
.            nr % 0
.            nr F 2
.        \}
.    \}
.\}
.rr rF
.\" ========================================================================
.\"
.IX Title "Mail::SpamAssassin::Plugin::DKIM 3pm"
.TH Mail::SpamAssassin::Plugin::DKIM 3pm "2020-01-31" "perl v5.28.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
Mail::SpamAssassin::Plugin::DKIM \- perform DKIM verification tests
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& loadplugin Mail::SpamAssassin::Plugin::DKIM [/path/to/DKIM.pm]
.Ve
.PP
Taking into account signatures from any signing domains:
.PP
.Vb 4
\& full   DKIM_SIGNED           eval:check_dkim_signed()
\& full   DKIM_VALID            eval:check_dkim_valid()
\& full   DKIM_VALID_AU         eval:check_dkim_valid_author_sig()
\& full   DKIM_VALID_EF         eval:check_dkim_valid_envelopefrom()
.Ve
.PP
Taking into account signatures from specified signing domains only:
(quotes may be omitted on domain names consisting only of letters, digits,
dots, and minus characters)
.PP
.Vb 3
\& full   DKIM_SIGNED_MY1       eval:check_dkim_signed(\*(Aqdom1\*(Aq,\*(Aqdom2\*(Aq,...)
\& full   DKIM_VALID_MY1        eval:check_dkim_valid(\*(Aqdom1\*(Aq,\*(Aqdom2\*(Aq,...)
\& full   DKIM_VALID_AU_MY1     eval:check_dkim_valid_author_sig(\*(Aqd1\*(Aq,\*(Aqd2\*(Aq,...)
\&
\& full   _\|_DKIM_DEPENDABLE     eval:check_dkim_dependable()
.Ve
.PP
Author Domain Signing Practices (\s-1ADSP\s0) from any author domains:
.PP
.Vb 6
\& header DKIM_ADSP_NXDOMAIN    eval:check_dkim_adsp(\*(AqN\*(Aq)
\& header DKIM_ADSP_ALL         eval:check_dkim_adsp(\*(AqA\*(Aq)
\& header DKIM_ADSP_DISCARD     eval:check_dkim_adsp(\*(AqD\*(Aq)
\& header DKIM_ADSP_CUSTOM_LOW  eval:check_dkim_adsp(\*(Aq1\*(Aq)
\& header DKIM_ADSP_CUSTOM_MED  eval:check_dkim_adsp(\*(Aq2\*(Aq)
\& header DKIM_ADSP_CUSTOM_HIGH eval:check_dkim_adsp(\*(Aq3\*(Aq)
.Ve
.PP
Author Domain Signing Practices (\s-1ADSP\s0) from specified author domains only:
.PP
.Vb 1
\& header DKIM_ADSP_MY1         eval:check_dkim_adsp(\*(Aq*\*(Aq,\*(Aqdom1\*(Aq,\*(Aqdom2\*(Aq,...)
\&
\& describe DKIM_SIGNED   Message has a DKIM or DK signature, not necessarily valid
\& describe DKIM_VALID    Message has at least one valid DKIM or DK signature
\& describe DKIM_VALID_AU Message has a valid DKIM or DK signature from author\*(Aqs domain
\& describe DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope\-from domain
\& describe _\|_DKIM_DEPENDABLE     A validation failure not attributable to truncation
\&
\& describe DKIM_ADSP_NXDOMAIN    Domain not in DNS and no valid author domain signature
\& describe DKIM_ADSP_ALL         Domain signs all mail, no valid author domain signature
\& describe DKIM_ADSP_DISCARD     Domain signs all mail and suggests discarding mail with no valid author domain signature, no valid author domain signature
\& describe DKIM_ADSP_CUSTOM_LOW  adsp_override is CUSTOM_LOW, no valid author domain signature
\& describe DKIM_ADSP_CUSTOM_MED  adsp_override is CUSTOM_MED, no valid author domain signature
\& describe DKIM_ADSP_CUSTOM_HIGH adsp_override is CUSTOM_HIGH, no valid author domain signature
.Ve
.PP
For compatibility with pre\-3.3.0 versions, the following are synonyms:
.PP
.Vb 3
\& OLD: eval:check_dkim_verified = NEW: eval:check_dkim_valid
\& OLD: eval:check_dkim_signall  = NEW: eval:check_dkim_adsp(\*(AqA\*(Aq)
\& OLD: eval:check_dkim_signsome = NEW: redundant, semantically always true
.Ve
.PP
The _\|_DKIM_DEPENDABLE eval rule deserves an explanation. The rule yields true
when signatures are supplied by a caller, \s-1OR ELSE\s0 when signatures are obtained
by this plugin \s-1AND\s0 either there are no signatures \s-1OR\s0 a rule _\|_TRUNCATED was
false. In other words: _\|_DKIM_DEPENDABLE is true when failed signatures can
not be attributed to message truncation when feeding a message to SpamAssassin.
It can be consulted to prevent false positives on large but truncated messages
with poor man's implementation of \s-1ADSP\s0 by hand-crafted rules.
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This SpamAssassin plugin implements \s-1DKIM\s0 lookups as described by the \s-1RFC 4871,\s0
as well as historical DomainKeys lookups, as described by \s-1RFC 4870,\s0 thanks
to the support for both types of signatures by newer versions of module
Mail::DKIM.
.PP
It requires the \f(CW\*(C`Mail::DKIM\*(C'\fR \s-1CPAN\s0 module to operate. Many thanks to Jason Long
for that module.
.SH "TAGS"
.IX Header "TAGS"
The following tags are added to the set, available for use in reports,
header fields, other plugins, etc.:
.PP
.Vb 2
\&  _DKIMIDENTITY_
\&    Agent or User Identifier (AUID) (the \*(Aqi\*(Aq tag) from valid signatures;
\&
\&  _DKIMDOMAIN_
\&    Signing Domain Identifier (SDID) (the \*(Aqd\*(Aq tag) from valid signatures;
\&
\&  _DKIMSELECTOR_
\&    DKIM selector (the \*(Aqs\*(Aq tag) from valid signatures;
.Ve
.PP
Identities and domains from signatures which failed verification are not
included in these tags. Duplicates are eliminated (e.g. when there are two or
more valid signatures from the same signer, only one copy makes it into a tag).
Note that there may be more than one signature in a message \- currently they
are provided as a space-separated list, although this behaviour may change.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\f(CW\*(C`Mail::DKIM\*(C'\fR \fBMail::SpamAssassin::Plugin\fR\|(3)
.PP
.Vb 5
\&  http://dkimproxy.sourceforge.net/
\&  https://tools.ietf.org/rfc/rfc4871.txt
\&  https://tools.ietf.org/rfc/rfc4870.txt
\&  https://tools.ietf.org/rfc/rfc5617.txt
\&  https://datatracker.ietf.org/group/dkim/about/
.Ve
.SH "USER SETTINGS"
.IX Header "USER SETTINGS"
.IP "whitelist_from_dkim author@example.com [signing\-domain]" 4
.IX Item "whitelist_from_dkim author@example.com [signing-domain]"
Works similarly to whitelist_from, except that in addition to matching
an author address (From) to the pattern in the first parameter, the message
must also carry a valid Domain Keys Identified Mail (\s-1DKIM\s0) signature made by
a signing domain (\s-1SDID,\s0 i.e. the d= tag) that is acceptable to us.
.Sp
Only one whitelist entry is allowed per line, as in \f(CW\*(C`whitelist_from_rcvd\*(C'\fR.
Multiple \f(CW\*(C`whitelist_from_dkim\*(C'\fR lines are allowed. File-glob style characters
are allowed for the From address (the first parameter), just like with
\&\f(CW\*(C`whitelist_from_rcvd\*(C'\fR.
.Sp
The second parameter (the signing-domain) does not accept full file-glob style
wildcards, although a simple '*.' (or just a '.') prefix to a domain name
is recognized and implies any subdomain of the specified domain (but not
the domain itself).
.Sp
If no signing-domain parameter is specified, the only acceptable signature
will be an Author Domain Signature (sometimes called first-party signature)
which is a signature where the signing domain (\s-1SDID\s0) of a signature matches
the domain of the author's address (i.e. the address in a From header field).
.Sp
Since this whitelist requires a \s-1DKIM\s0 check to be made, network tests must
be enabled.
.Sp
Examples of whitelisting based on an author domain signature (first-party):
.Sp
.Vb 3
\&  whitelist_from_dkim joe@example.com
\&  whitelist_from_dkim *@corp.example.com
\&  whitelist_from_dkim *@*.example.com
.Ve
.Sp
Examples of whitelisting based on third-party signatures:
.Sp
.Vb 5
\&  whitelist_from_dkim jane@example.net      example.org
\&  whitelist_from_dkim rick@info.example.net example.net
\&  whitelist_from_dkim *@info.example.net    example.net
\&  whitelist_from_dkim *@*                   mail7.remailer.example.com
\&  whitelist_from_dkim *@*                   *.remailer.example.com
.Ve
.IP "def_whitelist_from_dkim author@example.com [signing\-domain]" 4
.IX Item "def_whitelist_from_dkim author@example.com [signing-domain]"
Same as \f(CW\*(C`whitelist_from_dkim\*(C'\fR, but used for the default whitelist entries
in the SpamAssassin distribution.  The whitelist score is lower, because
these are often targets for abuse of public mailers which sign their mail.
.IP "unwhitelist_from_dkim author@example.com [signing\-domain]" 4
.IX Item "unwhitelist_from_dkim author@example.com [signing-domain]"
Removes an email address with its corresponding signing-domain field
from def_whitelist_from_dkim and whitelist_from_dkim tables, if it exists.
Parameters to unwhitelist_from_dkim must exactly match the parameters of
a corresponding whitelist_from_dkim or def_whitelist_from_dkim config
option which created the entry, for it to be removed (a domain name is
matched case-insensitively);  i.e. if a signing-domain parameter was
specified in a whitelisting command, it must also be specified in the
unwhitelisting command.
.Sp
Useful for removing undesired default entries from a distributed configuration
by a local or site-specific configuration or by \f(CW\*(C`user_prefs\*(C'\fR.
.IP "adsp_override domain [signing\-practices]" 4
.IX Item "adsp_override domain [signing-practices]"
Currently few domains publish their signing practices (\s-1RFC 5617\s0 \- \s-1ADSP\s0),
partly because the \s-1ADSP\s0 rfc is rather new, partly because they think
hardly any recipient bothers to check it, and partly for fear that some
recipients might lose mail due to problems in their signature validation
procedures or mail mangling by mailers beyond their control.
.Sp
Nevertheless, recipients could benefit by knowing signing practices of a
sending (author's) domain, for example to recognize forged mail claiming
to be from certain domains which are popular targets for phishing, like
financial institutions. Unfortunately, as signing practices are seldom
published or are weak, it is hardly justifiable to look them up in \s-1DNS.\s0
.Sp
To overcome this chicken-or-the-egg problem, the \f(CW\*(C`adsp_override\*(C'\fR mechanism
allows recipients using SpamAssassin to override published or defaulted
\&\s-1ADSP\s0 for certain domains. This makes it possible to manually specify a
stronger (or weaker) signing practices than a signing domain is willing
to publish (explicitly or by default), and also save on a \s-1DNS\s0 lookup.
.Sp
Note that \s-1ADSP\s0 (published or overridden) is only consulted for messages
which do not contain a valid \s-1DKIM\s0 signature from the author's domain.
.Sp
According to \s-1RFC 5617,\s0 signing practices can be one of the following:
\&\f(CW\*(C`unknown\*(C'\fR, \f(CW\*(C`all\*(C'\fR and \f(CW\*(C`discardable\*(C'\fR.
.Sp
\&\f(CW\*(C`unknown\*(C'\fR: The domain might sign some or all email \- messages from the
domain may or may not have an Author Domain Signature. This is a default
if a domain exists in \s-1DNS\s0 but no \s-1ADSP\s0 record is found.
.Sp
\&\f(CW\*(C`all\*(C'\fR: All mail from the domain is signed with an Author Domain Signature.
.Sp
\&\f(CW\*(C`discardable\*(C'\fR: All mail from the domain is signed with an Author Domain
Signature.  Furthermore, if a message arrives without a valid Author Domain
Signature, the domain encourages the recipient(s) to discard it.
.Sp
\&\s-1ADSP\s0 lookup can also determine that a domain is \*(L"out of scope\*(R", i.e., the
domain does not exist (\s-1NXDOMAIN\s0) in the \s-1DNS.\s0
.Sp
To override domain's signing practices in a SpamAssassin configuration file,
specify an \f(CW\*(C`adsp_override\*(C'\fR directive for each sending domain to be overridden.
.Sp
Its first argument is a domain name. Author's domain is matched against it,
matching is case insensitive. This is not a regular expression or a file-glob
style wildcard, but limited wildcarding is still available: if this argument
starts by a \*(L"*.\*(R" (or is a sole \*(L"*\*(R"), author's domain matches if it is a
subdomain (to one or more levels) of the argument. Otherwise (with no leading
asterisk) the match must be exact (not a subdomain).
.Sp
An optional second parameter is one of the following keywords
(case-insensitive): \f(CW\*(C`nxdomain\*(C'\fR, \f(CW\*(C`unknown\*(C'\fR, \f(CW\*(C`all\*(C'\fR, \f(CW\*(C`discardable\*(C'\fR,
\&\f(CW\*(C`custom_low\*(C'\fR, \f(CW\*(C`custom_med\*(C'\fR, \f(CW\*(C`custom_high\*(C'\fR.
.Sp
Absence of this second parameter implies \f(CW\*(C`discardable\*(C'\fR. If a domain is not
listed by a \f(CW\*(C`adsp_override\*(C'\fR directive nor does it explicitly publish any
\&\s-1ADSP\s0 record, then \f(CW\*(C`unknown\*(C'\fR is implied for valid domains, and \f(CW\*(C`nxdomain\*(C'\fR
for domains not existing in \s-1DNS.\s0 (Note: domain validity is only checked with
versions of Mail::DKIM 0.37 or later (actually since 0.36_5), the \f(CW\*(C`nxdomain\*(C'\fR
would never turn up with older versions).
.Sp
The strong setting \f(CW\*(C`discardable\*(C'\fR is useful for domains which are known
to always sign their mail and to always send it directly to recipients
(not to mailing lists), and are frequent targets of fishing attempts,
such as financial institutions. The \f(CW\*(C`discardable\*(C'\fR is also appropriate
for domains which are known never to send any mail.
.Sp
When a message does not contain a valid signature by the author's domain
(the domain in a From header field), the signing practices pertaining
to author's domain determine which of the following rules fire and
contributes its score: \s-1DKIM_ADSP_NXDOMAIN, DKIM_ADSP_ALL, DKIM_ADSP_DISCARD,
DKIM_ADSP_CUSTOM_LOW, DKIM_ADSP_CUSTOM_MED, DKIM_ADSP_CUSTOM_HIGH.\s0 Not more
than one of these rules can fire for messages that have one author (but see
below). The last three can only result from a 'signing\-practices' as given
in a \f(CW\*(C`adsp_override\*(C'\fR directive (not from a \s-1DNS\s0 lookup), and can serve as
a convenient means of providing a different score if scores assigned to
\&\s-1DKIM_ADSP_ALL\s0 or \s-1DKIM_ADSP_DISCARD\s0 are not considered suitable for some
domains.
.Sp
\&\s-1RFC 5322\s0 permits a message to have more than one author \- multiple addresses
may be listed in a single From header field.  \s-1RFC 5617\s0 defines that a message
with multiple authors has multiple signing domain signing practices, but does
not prescribe how these should be combined. In presence of multiple signing
practices, more than one of the DKIM_ADSP_* rules may fire.
.Sp
As a precaution against firing DKIM_ADSP_* rules when there is a known local
reason for a signature verification failure, the domain's \s-1ADSP\s0 is considered
\&'unknown' when \s-1DNS\s0 lookups are disabled or a \s-1DNS\s0 lookup encountered a temporary
problem on fetching a public key from the author's domain. Similarly, \s-1ADSP\s0
is considered 'unknown' when this plugin did its own signature verification
(signatures were not passed to \s-1SA\s0 by a caller) and a metarule _\|_TRUNCATED was
triggered, indicating the caller intentionally passed a truncated message to
SpamAssassin, which was a likely reason for a signature verification failure.
.Sp
Example:
.Sp
.Vb 2
\&  adsp_override *.mydomain.example.com   discardable
\&  adsp_override *.neversends.example.com discardable
\&
\&  adsp_override ebay.com
\&  adsp_override *.ebay.com
\&  adsp_override ebay.co.uk
\&  adsp_override *.ebay.co.uk
\&  adsp_override paypal.com
\&  adsp_override *.paypal.com
\&  adsp_override amazon.com
\&  adsp_override ealerts.bankofamerica.com
\&  adsp_override americangreetings.com
\&  adsp_override egreetings.com
\&  adsp_override bluemountain.com
\&  adsp_override hallmark.com   all
\&  adsp_override *.hallmark.com all
\&  adsp_override youtube.com    custom_high
\&  adsp_override google.com     custom_low
\&  adsp_override gmail.com      custom_low
\&  adsp_override googlemail.com custom_low
\&  adsp_override yahoo.com      custom_low
\&  adsp_override yahoo.com.au   custom_low
\&  adsp_override yahoo.se       custom_low
\&
\&  adsp_override junkmailerkbw0rr.com nxdomain
\&  adsp_override junkmailerd2hlsg.com nxdomain
\&
\&  # effectively disables ADSP network DNS lookups for all other domains:
\&  adsp_override *              unknown
\&
\&  score DKIM_ADSP_ALL          2.5
\&  score DKIM_ADSP_DISCARD     25
\&  score DKIM_ADSP_NXDOMAIN     3
\&
\&  score DKIM_ADSP_CUSTOM_LOW   1
\&  score DKIM_ADSP_CUSTOM_MED   3.5
\&  score DKIM_ADSP_CUSTOM_HIGH  8
.Ve
.IP "dkim_minimum_key_bits n             (default: 1024)" 4
.IX Item "dkim_minimum_key_bits n (default: 1024)"
The smallest size of a signing key (in bits) for a valid signature to be
considered for whitelisting. Additionally, the eval function \fBcheck_dkim_valid()\fR
will return false on short keys when called with explicitly listed domains,
and the eval function \fBcheck_dkim_valid_author_sig()\fR will return false on short
keys (regardless of its arguments). Setting the option to 0 disables a key
size check.
.Sp
Note that the option has no effect when the eval function \fBcheck_dkim_valid()\fR
is called with no arguments (like in a rule \s-1DKIM_VALID\s0). A mere presence of
some valid signature on a message has no reputational value (without being
associated with a particular domain), regardless of its key size \- anyone can
prepend its own signature on a copy of some third party mail and re-send it,
which makes it no more trustworthy than without such signature. This is also
a reason for a rule \s-1DKIM_VALID\s0 to have a near-zero score, i.e. a rule hit
is only informational.
.SH "ADMINISTRATOR SETTINGS"
.IX Header "ADMINISTRATOR SETTINGS"
.IP "dkim_timeout n             (default: 5)" 4
.IX Item "dkim_timeout n (default: 5)"
How many seconds to wait for a \s-1DKIM\s0 query to complete, before scanning
continues without the \s-1DKIM\s0 result. A numeric value is optionally suffixed
by a time unit (s, m, h, d, w, indicating seconds (default), minutes, hours,
days, weeks).