Incoming SMTP in the year 2017 and absence of DKIM
mike at mtcc.com
Wed Nov 29 18:33:00 CST 2017
A broken DKIM signature is indistinguishable from a lack of a signature
header. It's possible that as a heuristic
you might be able to divine something from lack of signature and the
existence of selectors for a domain, but
afaik there isn't an easy way to query for all of the dkim selectors for
a domain, and even if there were it would
be a pretty sketchy heuristic, is my bet.
On 11/29/2017 10:18 AM, Eric Kuhnke wrote:
> Anecdotal experience. I'm subscribed to a lot of mailing lists. Some pass
> through DKIM correctly. Others re-sign the message with DKIM from their own
>> 98% of the spam that gets through my filters, which comes from an IP not
> in any of the major RBLs, has no DKIM signature for the domain. My theory
> is that it does introduce somewhat of a barrier to spam senders because
> they are frequently not in control of the mail server (which may be some
> ignorant third party's open relay), nor do they have access to the zonefile
> for the domain the mail server belongs to for the purpose of adding any
> sort of DKIM record.
> On Wed, Nov 29, 2017 at 10:12 AM, Michael Thomas <mike at mtcc.com> wrote:
>> On 11/29/2017 10:03 AM, valdis.kletnieks at vt.edu wrote:
>>> On Wed, 29 Nov 2017 09:32:27 -0800, Michael Thomas said:
>>> There are quite a few things you can do to get the mailing list
>>>> traversal rate > 90%, iirc.
>>> Only 90% should be considered horribly broken. Anything that makes
>>> it difficult to run a simple mailing list with less that at least 2 or 3
>>> is unacceptable.
>> I've been saying for years that it should be possible to create the
>> concept of DKIM-friendly mailing lists. In such
>> a case, you could have your nines. Until then, the best you can hope for
>> is the list re-signing the mail and blaming
>> the list owner instead.
More information about the NANOG