Incoming SMTP in the year 2017 and absence of DKIM

Grant Taylor gtaylor at
Wed Nov 29 20:44:23 UTC 2017

On 11/29/2017 01:17 PM, Michael Thomas wrote:
> Remember: if you treat a broken signature better than lack of signature, 
> spammers will just insert phony signatures to game you.
> So they really are the same.

Yes, they are /effectively/ the same.  However it is possible to 
distinguish between a broken DKIM signature and the lack of a DKIM 

What you do with that information is up to you.  -  Guidelines suggest 
that you treat them the same.  (Thus them being /effectively/ the same.)

> The real problem with large enterprise that we found, however, is that 
> it was really hard to track down every 25 year 
> old 386 sitting in dusty corners that was sending mail directly instead 
> of through corpro servers to make certain 
> that everything was signed that should be signed. Maybe that's gotten 
> better in the last 15 years, but I'm not too hopeful.

I hear you, and I don't disagree with your sentiments about the 
difficult of the matter.  However, I find it highly suspect that such 
systems ancient are still in use.  There may very well be replacements 
for said systems that are < 20 years old.

Either way, they would still run afoul of things like SPF (unless you 
allow your entire IP space to send email).

There are other security / vulnerability implications of such 
infrastructures.  -  I'd argue that they are motivation enough to 
wrangle these rogue systems.

Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the NANOG mailing list