[Top] [All Lists]

[dkim-ops] Test Results for various reflectors

2006-06-08 14:31:42
Reposted to the list, I just realized I just responded only to Nate...

Okay. My results for every reflector listed on (with every possible signing mode) are here (and they're DISMAL):

Interesting notes: -- doesn't even seem to verify DKIM or DK, just SPF/Sender-ID. Pointless. -- in most results simply tells me what my policies in published DNS are, but says the DKIM test is "not available".
Mostly Pointless. -- seems to only work with allman-base-00, everything else returns a base64 error. Also seems to be running a fairly old sendmail which wouldn't have the right libmilter to support newer versions of dkim-filter. -- isn't even answering me when I send with ietf-base-00, and on the others, not one has triggered a domainkeys response. -- sees my DKIM passing, but my domainkeys FAILING where everything else passes. If this is one of the "testing" sites this makes me feel FAR less good about even implementing DOMAINKEYS, since four other sites can verify me and be fine and one of the TESTING SITES is broken. THIS IS BAD. In a real-world situation this would REJECT MAIL. Their MTA (MDaemon) seems to be at issue here.


* I signed using my address danm(_at_)prime(_dot_)gushi(_dot_)org -- if anyone thinks it would be any different using gushi(_at_)gushi(_dot_)org (which also has domainkeys and a policy) let me know.

* I for a moment considered re-running these tests with dk-milter completely disabled and only using dkim-milter, but decided against it as this is a real-world test, and the idea should be to embrace as many possible non-competing methods as possible, with PREFERNCE for the ability to continue to use SUPPORTED ones while the DRAFT ones work the kinks out.

* mentions a mailing list on yahoogroups that hasn't seen a post since last november, and which still has not approved me for posting access.

* I am running the latest versions of all milters (dk, dkim, sid) from sourceforge. My arguments for dkim-filter are mentioned in the methods.txt file in each example.

* After my first try I kicked over to putting the domainkeys milter FIRST in, because I noted that this is how does it, and I'd pretty much consider them an example to work from.

* The sendmail milter can sign with three different modes, ietf-base-00, ietf-base-01, and allman-base-00. mentions:

draft allman-00

(they mention it with and without the word "draft", I am not sure if that's significant)

In any case, no detail is mentioned about how these differ, unless I feel like reading the drafts (and no links are provided, even so it would be a TEDIOUS read).

(the index page stated that that site may be out of date, I'm ccing the webmaster on this in case he'd like to remove these links).

According to some of these milters test on allman-01, which isn't even an option with dkim-milter (interesting because AFAIK if it's being supported by, it should conceivably be in the milter that THEY WROTE).

* Per nate's suggestion I've added -H to dk-filter's options -- it doesn't seem to have helped the incidence of failures.

* Is there code out there to allow one to run their own testing reflector? If so, I'd like to run one myself.

* Can anyone post contact addresses for issues with these reflectors? Ideally we need more info, such as: what testing method they're using, contact address, what standards they support.

Clearly if all these reflectors are failing with the DEFAULT SIGNING MODE of dkim-milter this represents an issue.

-Dan Mahoney

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM

dkim-ops mailing list