Incoming SMTP in the year 2017 and absence of DKIM
mike at mtcc.com
Wed Nov 29 20:17:57 UTC 2017
On 11/29/2017 11:53 AM, Grant Taylor via NANOG wrote:
> On 11/29/2017 11:33 AM, Michael Thomas wrote:
>> A broken DKIM signature is indistinguishable from a lack of a
>> signature header.
> I'll argue that it's possible to distinguish between the two.
> *However* the DKIM standard states that you should treat a broken DKIM
> signature the same as no DKIM signature.
Remember: if you treat a broken signature better than lack of signature,
spammers will just insert phony signatures to game you.
So they really are the same.
> Not being able to tell if DKIM is in use has been a long standing
> annoyance of mine.
> That being said, I think it could be trivial to query for DMARC
> records and deduce things from the existence of the "adkim" option.
> If it's there and set to reject, then there really should be
> DKIM-Signature header for the message.
I haven't really kept up with dmarc, but its progenitor ssp could give
you that indication, iirc.
The real problem with large enterprise that we found, however, is that
it was really hard to track down every 25 year
old 386 sitting in dusty corners that was sending mail directly instead
of through corpro servers to make certain
that everything was signed that should be signed. Maybe that's gotten
better in the last 15 years, but I'm not too hopeful.
More information about the NANOG