[dkim-ops] Test Results for various reflectors
Dan Mahoney, System Admin
danm at prime.gushi.org
Thu Jun 8 14:34:58 PDT 2006
Reposted to the list, I just realized I just responded only to Nate...
Okay. My results for every reflector listed on testing.dkim.org (with
every possible signing mode) are here (and they're DISMAL):
blackops.org -- doesn't even seem to verify DKIM or DK, just SPF/Sender-ID.
dk.elandsys.com -- in most results simply tells me what my policies in
published DNS are, but says the DKIM test is "not available".
dkim.org -- seems to only work with allman-base-00, everything else returns a
base64 error. Also seems to be running a fairly old sendmail which wouldn't
have the right libmilter to support newer versions of dkim-filter.
sendmail.net -- isn't even answering me when I send with ietf-base-00, and on
the others, not one has triggered a domainkeys response.
altn.com -- sees my DKIM passing, but my domainkeys FAILING where everything
else passes. If this is one of the "testing" sites this makes me feel FAR less
good about even implementing DOMAINKEYS, since four other sites can verify me
and be fine and one of the TESTING SITES is broken. THIS IS BAD. In a
real-world situation this would REJECT MAIL. Their MTA (MDaemon) seems to be
at issue here.
* I signed using my address danm at prime.gushi.org -- if anyone thinks it would
be any different using gushi at gushi.org (which also has domainkeys and a policy)
let me know.
* I for a moment considered re-running these tests with dk-milter completely
disabled and only using dkim-milter, but decided against it as this is a
real-world test, and the idea should be to embrace as many possible
non-competing methods as possible, with PREFERNCE for the ability to continue
to use SUPPORTED ones while the DRAFT ones work the kinks out.
* dkim.org mentions a mailing list on yahoogroups that hasn't seen a post since
last november, and which still has not approved me for posting access.
* I am running the latest versions of all milters (dk, dkim, sid) from
sourceforge. My arguments for dkim-filter are mentioned in the methods.txt
file in each example.
* After my first try I kicked over to putting the domainkeys milter FIRST in
sendmail.cf, because I noted that this is how sendmail.net does it, and I'd
pretty much consider them an example to work from.
* The sendmail milter can sign with three different modes, ietf-base-00,
ietf-base-01, and allman-base-00. http://testing.dkim.org/reflector.html
(they mention it with and without the word "draft", I am not sure if that's
In any case, no detail is mentioned about how these differ, unless I feel like
reading the drafts (and no links are provided, even so it would be a TEDIOUS
(the index page stated that that site may be out of date, I'm ccing the
webmaster on this in case he'd like to remove these links).
According to http://testing.dkim.org/reflector.html some of these milters test
on allman-01, which isn't even an option with dkim-milter (interesting because
AFAIK if it's being supported by sendmail.net, it should conceivably be in the
milter that THEY WROTE).
* Per nate's suggestion I've added -H to dk-filter's options -- it doesn't
seem to have helped the incidence of failures.
* Is there code out there to allow one to run their own testing reflector? If
so, I'd like to run one myself.
* Can anyone post contact addresses for issues with these reflectors?
Ideally we need more info, such as: what testing method they're using,
contact address, what standards they support.
Clearly if all these reflectors are failing with the DEFAULT SIGNING MODE
of dkim-milter this represents an issue.
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
More information about the dkim-ops