Incoming SMTP in the year 2017 and absence of DKIM

Michael Thomas mike at
Wed Nov 29 18:33:00 UTC 2017

A broken DKIM signature is indistinguishable from a lack of a signature 
header. It's possible that as a heuristic
you might be able to divine something from lack of signature and the 
existence of selectors for a domain, but
afaik there isn't an easy way to query for all of the dkim selectors for 
a domain, and even if there were it would
be a pretty sketchy heuristic, is my bet.


On 11/29/2017 10:18 AM, Eric Kuhnke wrote:
> Anecdotal experience. I'm subscribed to a lot of mailing lists. Some pass
> through DKIM correctly. Others re-sign the message with DKIM from their own
> server.
>> 98% of the spam that gets through my filters, which comes from an IP not
> in any of the major RBLs, has no DKIM signature for the domain. My theory
> is that it does introduce somewhat of a barrier to spam senders because
> they are frequently not in control of the mail server (which may be some
> ignorant third party's open relay), nor do they have access to the zonefile
> for the domain the mail server belongs to for the purpose of adding any
> sort of DKIM record.
> On Wed, Nov 29, 2017 at 10:12 AM, Michael Thomas <mike at> wrote:
>> On 11/29/2017 10:03 AM, valdis.kletnieks at wrote:
>>> On Wed, 29 Nov 2017 09:32:27 -0800, Michael Thomas said:
>>> There are quite a few things you can do to get the mailing list
>>>> traversal rate > 90%, iirc.
>>> Only 90% should be considered horribly broken.  Anything that makes
>>> it difficult to run a simple mailing list with less that at least 2 or 3
>>> 9's
>>> is unacceptable.
>> I've been saying for years that it should be possible to create the
>> concept of DKIM-friendly mailing lists. In such
>> a case, you could have your nines. Until then, the best you can hope for
>> is the list re-signing the mail and blaming
>> the list owner instead.
>> Mike

More information about the NANOG mailing list