Incoming SMTP in the year 2017 and absence of DKIM

Grant Taylor gtaylor at
Wed Nov 29 19:53:01 UTC 2017

On 11/29/2017 11:33 AM, Michael Thomas wrote:
> A broken DKIM signature is indistinguishable from a lack of a signature 
> header.

I'll argue that it's possible to distinguish between the two.  *However* 
the DKIM standard states that you should treat a broken DKIM signature 
the same as no DKIM signature.

I've come to understand DKIM to be proof /positive/, as in trust 
something when there is a DKIM signature -and- it validates.  Everything 
else defaults to neutral, NOT /negative/.

> It's possible that as a heuristic you might be able to divine something 
> from lack of signature and the existence of selectors for a domain, but 
> afaik there isn't an easy way to query for all of the dkim selectors for 
> a domain, and even if there were it would be a pretty sketchy heuristic, 
> is my bet.

Not being able to tell if DKIM is in use has been a long standing 
annoyance of mine.

That being said, I think it could be trivial to query for DMARC records 
and deduce things from the existence of the "adkim" option.  If it's 
there and set to reject, then there really should be DKIM-Signature 
header for the message.

Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the NANOG mailing list