"Reject incoming email with invalid DKIM signature?" not working as expected

I am using OpenDKIM (installed by Virtualmin when I click on the install button Virtualmin -> Email messages -> DKIM -> Install).

When I select Reject incoming email with invalid DKIM signature? (*) Yes it adds headers into the message with information about validity of the signature:

DKIM-Filter: OpenDKIM Filter v2.11.0 ...

Authentication-Results: server.example.com; dkim=fail reason="....

This way I can create custom filters in my e-mail client (Evolution) to look for "dkim=fail" and assign specific label (with different colour) that says "DKIM verification failed" or other scary message.

In the configuration file /etc/opendkim.conf I see that turning this option to (*) Yes is changing Mode s to Mode sv.

This is great and is what I actually want, however it is misleading, because when the user set Reject incoming email with invalid DKIM signature? to (*) Yes he expects that emails with wrong signatures are rejected (not received and error message returned to the sender). Which is not the case.

I suggest to add another option called Verify DKIM signature and add "Authentication-Results" header that works this way and Reject incoming email with invalid DKIM signature? to actually reject the message when set to (*) Yes.

I noticed also another problem: it works as dkim-milter only after I add this to the /etc/opendkim.conf: SenderHeaders Sender,From. If there is no Sender (this is the default: SenderHeaders From) it will not sign messages when the From address is not listed in dkim-domains.txt (but the Sender address is listed there). I am suggesting to add a way to correct this via Virtualmin interface ("DomainKeys identified mail options") or change the config file when DKIM is enabled via Virtualmin.

Needs review


When DKIM is enabled, the header should always be enabled, but email should be only totally rejected when the "Reject incoming email with invalid DKIM signature" option is set to "Yes".

Which Linux distribution and version are you running there? The cause may be that Virtualmin is configuring one of the many DKIM variants incorrectly.

I got this on Debian 8