-
Notifications
You must be signed in to change notification settings - Fork 34
Sign rules
With the sign rules, you can specify that certain e-mails should always be signed. Besides that, it can be used to disable the "From is not in Signing Domain" warning or to hide invalid signatures from e-mails received through a mailing list.
Versions before 4.x stored the rules in the dkimPolicy.sqlite SQLite database in the profile directory.
Will be matched against the base domain of the From address. For example, the base domain for 'email.example.co.uk' is 'example.co.uk'.
Will be matched against the list-id, if the e-mail was received through an e-mail list. Note that only the part between '<' and '>' of the List-Id header is the actual list-id. Only either the domain or the list-id is matched at the same time.
Will be matched against the From address. Use an '*' to match zero or more characters.
The domain by which the e-mails should be signed. If this is left empty, every SDID is allowed. More than one domain can be specified by separating them with a space.
The type of the rule.
- E-mail must be signed by the specified SDID.
- E-mail doesn't have to be signed. If it is signed, it must be by the specified SDID.
- E-mail doesn't have to be signed. If it is signed, it must be by the specified SDID. If the e-mail has an invlaid signature, it is treated as having no signature.
The priority of the rule. If more than one rule matches, the one with the highest priority is used.
The default priorities are:
| Priority | |
|---|---|
| Auto inserted rules of type 1 | 1100 |
| Default rules of type 1; used for e-mail providers | 2000 |
| User inserted rules of type 3 | 2050 |
| Default rules of type 1 | 2100 |
| Default rules of type 1; used for different SDID for subdomains | 2110 |
| Default rules of type 2 | 2200 |
| User inserted rules of type 1 | 3100 |
| User inserted rules of type 2 | 3200 |
1 if the rule is enabled, 0 if it is disabled.
Normally a warning is shown if the from address is not in the SDID of the signature. You can disable this for specific addressees by adding a rule.
For example, for an email from from@subdomain.example.com signed by signer.com, add the following rule:
- Domain:
example.com - List-Id: leave it empty
- From:
*for the complete domain,*@subdomain.example.comfor the subdomain,from@subdomain.example.comfor the From address only - SDID:
signer.com - Rule type:
Must be signed (1)orCan be signed (2) - Priority: Will be automatically selected based on the Rule type. Normally there should be no need to change this. But if for some reason you need to, you can manually set the priority or change it after you have added the rule.
- Enabled: true
Mailing list often change the subject or are adding a footer to the message body, and thus breaking the DKIM signature. If you don't want to hide invalid signatures completely, you can add a rule to hide invalid signatures only then received through a specific mailing list.
For example, for a mailing list with the List-Id header List-Id: a mailing list <list.example.com>, add the following rule:
- Domain: leave it empty
- List-Id:
list.example.com - From:
* - SDID: leave it empty
- Rule type:
Ignore invalid signature (3) - Priority: Will be automatically selected based on the Rule type. Normally there should be no need to change this. But if for some reason you need to, you can manually set the priority or change it after you have added the rule.
- Enabled: true
If you want to use the option Use DMARC to heuristically determinate if an e-mail should be signed but it produces a false result of "Should be signed by ..." for a specific domain you can use the sign rules to add an explicit exception for this domain.
For example, for an email from from@subdomain.example.com add the following rule:
- Domain:
example.com - List-Id: leave it empty
- From:
*for the complete domain,*@subdomain.example.comfor the subdomain,from@subdomain.example.comfor the From address only - SDID: leave it empty
- Rule type:
Can be signed (2) - Priority: Will be automatically selected based on the Rule type. Normally there should be no need to change this. But if for some reason you need to, you can manually set the priority or change it after you have added the rule.
- Enabled: true
If you want to add the exception only for the From address you can also do it by clicking "Add must be signed exception" in the "Other Actions" drop-down menu in the e-mail header.