+
+begin acl
+
+check_dkim:
+.ifdef BAD
+ warn logwrite = ${lookup dnsdb{defer_never,txt=_adsp._domainkey.$dkim_cur_signer}{$value}{unknown}}
+.endif
+.ifdef OPTION
+ warn condition = ${if eq {$dkim_algo}{rsa-sha1}}
+ condition = ${if eq {$dkim_verify_status}{pass}}
+ logwrite = NOTE: forcing dkim verify fail (was pass)
+ set dkim_verify_status = fail
+ set dkim_verify_reason = hash too weak
+.endif
+ accept
+ logwrite = signer: $dkim_cur_signer bits: $dkim_key_length
+