Is it safe to enable "Reject incoming email with invalid DKIM signature?"

Doe anybody has experience with this option?

Reject incoming email with invalid DKIM signature?
If I enable it will I get rid a non legitimate emails or will I ban normal emails too ?

It will reject normal mail if it does not contain a valid DKIM signature.

If this is true then the label is unfortunate. Invalid != Missing

Hmm. ‘Only accept mail which has a valid DKIM signature’ is a suitable replacement?

Well, clarification is in order here. My reading is different from yours at this point. I think many of the major providers use it anyhow.

From what I understand “if the two signatures don’t match, it means the content was altered and the email is discarded with an “Invalid DKIM Signature” message.”

I use it and never seen it block email without DKIM Signatures. But it will block spammers who forge DKIM Signatures.

1 Like

From some test I have performed it seems that accepts emails with no signature but not with invalid signature.
So I guess that it helps get rid some of the spams.

1 Like

My tests confirm this. On a Virtualmin server which is configured to reject mail with invalid DKIM, the following spam was inboxed:

Return-Path: <>
Received: from (unknown [])
        by (Postfix) with ESMTP id CEACA402ED
        for <>; Wed, 22 Feb 2023 13:39:38 +0000 (UTC)
From: <>
Subject: Mailbox Storage Re-validation expires Today
 2/23/2023 3:55:44 a.m.
Date: 22 Feb 2023 14:39:36 +0100
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
X-Greylist: Default is to whitelist mail, not delayed by
 milter-greylist-4.5.11 ( []); Wed, 22 Feb 2023
 13:39:39 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.11 (
 []); Wed, 22 Feb 2023 13:39:39 +0000 (UTC) for IP:''
 DOMAIN:'[]' HELO:'' FROM:'' RCPT:''
X-Evolution-Source: 030f255176a05710629cb0adfb4405e4f69bb951

You were right, @ID10T

DKIM aims to identify a sender with a domain to avoid email spoofing, while this technique is used in spam and phishing, this is not always the case, therefore it is not the main objective of DKIM to prevent spam, only to ensure that a sender actually belongs to the domain it appears it belongs to. When the signature is invalid, it is reason enough to think that said email is malicious and therefore reject it.
If you are not sure you may quarantine email that fails DKIM instead of reject and check what gets quarantined

I agree. In my previous message, I have quoted email headers of a spam in which my own email address has been spoofed to send me an email. Interestingly, this email hit my inbox despite Virtualmin being configured to reject incoming email which does not have a valid DKIM signature.

The moot point of this topic is not spam but valid DKIM signature. Should mail which does not contain a DKIM signature be classified as invalid when this Virtualmin setting is enabled?

Read this

The section DKIM v SPF, “DKIM is used to verify that no third party has tampered with data within an email. SPF, however, stops spoofed messages using the sender’s domain.”
“They are both a part of DMARC (Domain-based Message Authentication Reporting and Conformance)”

No DKIM (as from my previous message) is there to detect tampering of the email, thus the “key” will be incorrect.