Order of DKIM signing and spam scanning

Simon Wilson simon at simonandkate.net
Mon Apr 19 12:03:55 CEST 2021

I run amavisd to do spamassassin scanning on outbound email. - Port  
587 submission --> ORIGINATING/MYNETS dedicated amavisd port (10026)  
--> Postfix 10025 for delivery --> Internet (OR local Cyrus if it's  
local mail... read on...)

I also use amavisd to DKIM sign outbound email.

When I send email to a local domain (i.e. handled entirely on the  
local network), amavisd is spam-scanning and *then* DKIM signing...  
which means that the spam scan triggers KAM_DMARC rules if DMARC is  
set to reject or quarantine:

- SPF fails: it's only ever internal, so SPF will never pass an  
externally published SPF rule
- DKIM fails: the email is not yet DKIM-signed, so DKIM fails
- In SA this KAM rule fails:

       meta     KAM_DMARC_REJECT !(DKIM_VALID_AU || SPF_PASS) &&  
       describe KAM_DMARC_REJECT DKIM has Failed or SPF has failed on  
the message and the domain has a DMARC reject policy
       score    KAM_DMARC_REJECT 3.0

I understand DKIM signing needs to be as late as possible - is there  
an amavisd way to get around this challenge?


Simon Wilson
M: 0400 12 11 16

More information about the amavis-users mailing list