Incoming SMTP in the year 2017 and absence of DKIM
Grant Taylor
gtaylor at tnetconsulting.net
Wed Nov 29 19:53:01 UTC 2017
On 11/29/2017 11:33 AM, Michael Thomas wrote:
> A broken DKIM signature is indistinguishable from a lack of a signature
> header.
I'll argue that it's possible to distinguish between the two. *However*
the DKIM standard states that you should treat a broken DKIM signature
the same as no DKIM signature.
I've come to understand DKIM to be proof /positive/, as in trust
something when there is a DKIM signature -and- it validates. Everything
else defaults to neutral, NOT /negative/.
> It's possible that as a heuristic you might be able to divine something
> from lack of signature and the existence of selectors for a domain, but
> afaik there isn't an easy way to query for all of the dkim selectors for
> a domain, and even if there were it would be a pretty sketchy heuristic,
> is my bet.
Not being able to tell if DKIM is in use has been a long standing
annoyance of mine.
That being said, I think it could be trivial to query for DMARC records
and deduce things from the existence of the "adkim" option. If it's
there and set to reject, then there really should be DKIM-Signature
header for the message.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20171129/01c0a39c/attachment.bin>
More information about the NANOG
mailing list