NAME

Mail::DKIM::DkimPolicy - represents a DKIM Sender Signing Practices record

VERSION

version 1.20200907

DESCRIPTION

The Sender Signing Practices (SSP) record can be published by any domain to help a receiver know what to do when it encounters an unsigned message claiming to originate from that domain.

The record is published as a DNS TXT record at _policy._domainkey.DOMAIN where DOMAIN is the domain of the message's "From" address.

This record format has been superceded by ADSP. See Mail::DKIM::AuthorDomainPolicy for information about ADSP. It is implemented here because at one time it appeared this is what would be standardized by the IETF. It will be removed from Mail::DKIM at some point in the future. The last version of the SSP specification can be found at <http://tools.ietf.org/html/draft-ietf-dkim-ssp-02>.

CONSTRUCTORS

fetch()

Lookup a DKIM signing practices record.

  my $policy = Mail::DKIM::DkimPolicy->fetch(
            Protocol => 'dns',
            Author => 'jsmith@example.org',
          );

new()

Construct a default policy object.

  my $policy = Mail::DKIM::DkimPolicy->new;

METHODS

apply()

Apply the policy to the results of a DKIM verifier.

  my $result = $policy->apply($dkim_verifier);

The caller must provide an instance of Mail::DKIM::Verifier, one which has already been fed the message being verified.

Possible results are:

accept: The message is approved by the sender signing policy.
reject: The message is rejected by the sender signing policy. It can be considered very suspicious.
neutral: The message is neither approved nor rejected by the sender signing policy. It can be considered somewhat suspicious.

flags()

Get or set the flags (t=) tag.

A colon-separated list of flags. Flag values are:

y: The entity is testing signing practices, and the Verifier SHOULD NOT consider a message suspicious based on the record.
s: The signing practices apply only to the named domain, and not to subdomains.

is_implied_default_policy()

Is this policy implied?

  my $is_implied = $policy->is_implied_default_policy;

If you fetch the policy for a particular domain, but that domain does not have a policy published, then the "default policy" is in effect. Use this method to detect when that happens.

location()

Where the policy was fetched from.

If the policy is domain-wide, this will be domain where the policy was published.

If the policy is user-specific, TBD.

If nothing is published for the domain, and the default policy was returned instead, the location will be "undef".

policy()

Get or set the outbound signing policy (dkim=) tag.

  my $sp = $policy->policy;

Outbound signing policy for the entity. Possible values are:

"unknown": The default. The entity may sign some or all email.
"all": All mail from the entity is signed. (The DKIM signature can use any domain, not necessarily matching the From: address.)
"strict": All mail from the entity is signed with Originator signatures. (The DKIM signature uses a domain matching the From: address.)

signall()

True if policy is "all".

signall_strict()

True if policy is "strict".

testing()

Checks the testing flag.

  my $testing = $policy->testing;

If nonzero, the testing flag is set on the signing policy, and the verify should not consider a message suspicious based on this policy.

BUGS

•: If a sender signing policy is not found for a given domain, the fetch() method should search the parent domains, according to section 4 of the dkim-ssp Internet Draft.

AUTHORS

Jason Long <jason@long.name>
Marc Bradshaw <marc@marcbradshaw.net>
Bron Gondwana <brong@fastmailteam.com> (ARC)

THANKS

Work on ensuring that this module passes the ARC test suite was generously sponsored by Valimail (https://www.valimail.com/)

COPYRIGHT AND LICENSE

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.8.6 or, at your option, any later version of Perl 5 you may have available.