dkim fails ?

[Mark Martinec]

Benny,

> will dkim being checked in all_trusted ?, will try to debug later now from
> google mail with smtp auth

DKIM verification in amavisd as well as in SpamAssassin is
independent from trusted_networks / internal_networks / msa_networks,
i.e. works the same regardless of mail flow direction and its source.

> > The DKIM_ADSP_* rules only hit in the absence of a DKIM_VALID.
> 
> possible amavisd-new 2.6.6 sigs later then it test in spamassassin ?

Yes it does (regardless of version). Signing is done last, just before
the mail message is being fed back to an MTA. So the signature
that is yet to be generated is not seen by SpamAssassin and
a DKIM_ADSP_* rule could hit.

> this only happends if smtp auth is done outside mynetworks, not inside
> or relevant
> 
> if its my amavisd.conf i like to know why
> 
> all tested mails here gives dkim-valid if tested from console later so
> i am pretty sure now its either amavisd or error in my own config

What is strange here is that the message does contain a:

  Authentication-Results: localhost.junc.org (amavisd-new);
    dkim=pass header.i=@junc.org

which apparently means that a signature by junc.org was already
present at the time of signature verification, so SpamAssassin
should have seen it as well.

Perhaps a domain in a From header field did not match exactly
the signing domain of a signature? Maybe it was its subdomain.

  Mark