Incoming SMTP in the year 2017 and absence of DKIM

Ken O'Driscoll ken at
Wed Nov 29 18:02:53 UTC 2017

On Wed, 2017-11-29 at 12:24 -0500, William Herrin wrote:
> Alright, so "horribly broken design" overstates the case but there are
> enough problems that weighting the absence of DKIM at something other
> than zero will surely do more harm than good.

+1. A DKIM signature by itself means nothing more than someone had the
ability to configure DKIM on an email server.

The signing domain (d=) is what matters as the signer needs access to the
zone in order to be able to publish the key, which may be interpreted as an
indication of trust.

DMARC requires the signing domain to be either exactly the same or share
the same organisational unit with the From address for this reason.

Even without DMARC, a receiver *could*, depending on the signing domain,
choose to interpret it as a positive signal. This is marginally better than
treating any DKIM signature or the absence thereof as a signal of any kind.

Personally, unless an author domain is publishing a DMARC policy of reject
or quarantine, I don't think recipients should be scoring based on DKIM at
all, perhaps with the exception of signing with a revoked key.


Ken O'Driscoll / We Monitor Email
t: +353 1 254 9400 | w:

Need to understand deliverability? Now there's a book:

More information about the NANOG mailing list