For your first question, look at the LocalADSP setting in your dkim-filter.conf configuration file (and its corresponding man page).


For your second question, I contacted Yahoo! to investigate this.  It turns out that dkim-milter’s library (libdkim) and also older versions of OpenDKIM’s library (libopendkim) contained a bug in relaxed body canonicalization, which is the mode Yahoo! uses.  OpenDKIM v1.2.0 contained a fix for this.  As they upgrade their servers to contain that patch, older software without the fix will begin getting verification errors from Yahoo!.  This is probably what you’ve been observing.

To date, dkim-milter has not been patched to include the fix.




From: Howard Leadmon []
Sent: Wednesday, March 17, 2010 11:00 AM
Subject: [dkim-milter-discuss] Couple Questions..


  I have had dkim-milter (as well as dk-milter) running for a while on my server, and on a couple clients servers, and have a couple questions hopefully someone can help with.


 First, and maybe I am just overlooking it, but is there a way in the configuration of dkim-milter to say, if mail is received saying it’s from domain (replace xx with your choice), then it must have a valid DKIM signature, and if not to reject/trash can the mail??


 I guess for example, I know now supports DKIM, but we get tons of SPAM saying it’s from, but in reality it’s from various hacked machines around the world, not yahoo.   Of course they don’t  include a DKIM signature, they just try and fake they are from yahoo.   So is there a setting so I can say if mail is being sent to me, and it says it’s from, to then check for a DKIM signature (as I know real Yahoo mail will have one), and if it has an invalid signature, or no signature at all, then to trash can/reject the message.


 Issue in point, I have a client that keeps trying to bounce invalid rejects for SPAM being faked as from Yahoo back to yahoo saying it’s to invalid users on their server, but then Yahoo is blacking listing them for hammering them with reject messages.   So it just seemed that I should be able to use DKIM to eliminate that issue, any suggestions?




 Second question, I know as stated above that Yahoo is doing DKIM and DK signatures in their email, but  when I get a message in from Yahoo, it tells me the DK signature is good, but that the DKIM signature is bad.   If I send a message back to my Yahoo account, it tells me that my signatures are good.    Am I munging up Yahoo’s header without knowing it, or are they really sending out broken DKIM which is almost hard to believe.   I will include a header below, and see if anyone can help give me a clue on this one..


Return-Path: <>

X-Spam-Checker-Version: SpamAssassin 3.3.0 (2010-01-18) on


X-Spam-Status: No, score=-0.9 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,


            T_RP_MATCHES_RCVD autolearn=no version=3.3.0

Received: from ( [])

            by (8.14.4/8.14.4/LNSG+SCOP+PSBL+LUBL+NJABL+SBL+DSBL+SORBS+CBL+RHSBL) with SMTP id o2GFTNRm021714

            for <>; Tue, 16 Mar 2010 11:29:29 -0400 (EDT)


X-DKIM: Sendmail DKIM Filter v2.8.3 o2GFTNRm021714

Authentication-Results:; dkim=neutral

            (verification failed); x-dkim-adsp=none

X-DomainKeys: Sendmail DomainKeys Filter v1.0.2 o2GFTNRm021714

Authentication-Results:; domainkeys=pass (testing)

X-SenderID: Sendmail Sender-ID Filter v1.0.0 o2GFTNRm021714

Authentication-Results:; sender-id=none; spf=none

Received: (qmail 60648 invoked by uid 60001); 16 Mar 2010 15:29:20 -0000

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s1024;

            t=1268753360; bh=JecJQZ5crTJyCPPwhSdwHjvKlZ0J1eRmAioIi0cHFko=;






DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024;;






Message-ID: <>

X-YMail-OSG: Lk0c8nUVM1mZ_7Xj8gFaO7l902oEAsl6844PMAYUeKDotcGlsSnDhn9tCPNJnV2





Received: from [] by via HTTP;

            Tue, 16 Mar 2010 08:29:20 PDT

X-Mailer: YahooMailRC/324.3 YahooMailWebService/

Date: Tue, 16 Mar 2010 08:29:20 -0700 (PDT)

From: Howard Leadmon <>

Subject: testing...


MIME-Version: 1.0

Content-Type: text/plain;


X-TM-AS-Product-Ver: CSC-0-6.0.1038-17252

X-TM-AS-Result: No--1.87-4.50-31-1

X-Virus-Scanned: clamav-milter 0.95.3 at

X-Virus-Status: Clean




 If I am doing something that is munging up the header, any ideas on fixing it, as for sure I’d like to have DKIM working well.


Thanks for any input, always appreciated…




Howard Leadmon -