Signing all outgoing mails on MTA, not on MUA

Steve Revilak steve at
Sat Mar 28 16:51:34 CET 2009

Hash: SHA1

grover> We'd like to be able to sign all our outgoing mails.

grover> But not on each client system, which would mean everyone has
grover> to install some plugin or gpg-aware mail client, but on the
grover> mailserver itself.

grover> This way nobody has to think about it and signing works
grover> transparently for everyone. We would have one key for all,
grover> like a corporate key.

cbabcock> The corporate value of public key cryptography is much more
cbabcock> readily attained using DKIM. Milter setup and key management
cbabcock> for signing DKIM mail is pretty straight forward. You place
cbabcock> your key in Text records in DNS. That establishes a
cbabcock> meaningful connection between the identity of the sender (or
cbabcock> at least ownership of the mail server) and the owner of the
cbabcock> domain. Setting up DKIM with Postfix was at least as easy as
cbabcock> setting up GPG with Claws and it makes an identity assertion
cbabcock> that is appropriate for a server environment.

I agree with Chris -- this seems like a good application for DKIM.

In addition to non-repudiation, some email service providers will be
much less likely to categorize DKIM-signed messages as spam (if that
kind of thing matters to you.)

One DKIM implementation I've used is
<>.  dkim-milter is very
straightforward to set up with sendmail, and I know of people who've
used it with postfix (configured as a mail filter.)

Version: GnuPG v2.0.10 (Darwin)


More information about the Gnupg-users mailing list