Are DomainKeys for e-mail signing dead?

John Levine johnl at
Sat Mar 1 02:41:58 UTC 2014

>	-- gets mail from somebody with a domain that requires their mail to be
>validly signed (for instance, via DMARC)
>	-- leaves that sender's address in the From: line
>	-- and breaks the DKIM signature

Ah, that problem.

I'd strongly suggest a shim in front of LISTSERV that checks for DMARC
policies other than p=none and rejects the incoming mail, simply to
protect other members of the list.  Otherwise people who follow DMARC
advice will reject list mail and get bounced off the list.  Yes, this
actually happens.


More information about the NANOG mailing list