DKIM on smtp-port or on submission only?


Would it make sense to apply the DKIM milter only for mails arriving on the submission port, and the DMARC milter for those arriving on the SMTP port?

I.e., would a like this make sense (also enforces further separation between smtp and submission):

smtp      inet  n       -       -       -       -       smtpd
      -o smtpd_milters=inet:  # DMARC only, no DKIM
      -o smtpd_relay_restrictions=reject_unauth_destination  # No SASL, SMTP would only be used for incoming mail, not for relay to other domains
submission inet n       -       -       -       -       smtp
      [...]  # Other configuration overrides omitted 
      -o smtpd_milters=inet:  # DKIM only, no DMARC, already par of configuration
      -o smtpd_relay_restrictions=permit_sasl_authenticated,permit_mynetworks,reject  # Only for true submission, not for incoming mail, as per RFC2476 §6.2

This of course assumes that all client software uses the submission port for email relay (as they should).

Or should emails that arrive on SMTP and claim to be from any of the local domains be rejected right away?

Background: Due to some misconfiguration on one of my clients, mail got routed through a separate mail server before reaching my MIAB box. Those mails had one of my domains both as sender and as recipient. When the mails arrived at my box from the other server, they were sent through the DKIM milter and signed. SpamAssassin gave better scores for those mails as they were properly DKIM-signed.

Why I care: I have been receiving spam mails that mis-use my domains as sender domain; those spam mails might get better SA scores because of this DKIM configuration than they should, I think.

My apologies if I am way off here …

Thank you,

The milter does both signing and verification (i.e. adding a Authentication-Results: header), so it has to run on both ports, I think.

But I see what you mean. Can you open a github issue for this?

Thank you for the insight, @JoshData.

I created anissue as you requested.