Incoming SMTP in the year 2017 and absence of DKIM

Keith Medcalf kmedcalf at dessus.com
Wed Nov 29 20:58:53 UTC 2017


In which case neither will they be RFC compliant.  

(1) The "inaddr-arpa" ptr from the incoming connection, when resolved, MUST result in a set of IP Addresses which includes the original IP Address.

(2) The "name" specified in the HELO/EHLO MUST resolve to an MTA that meets the above reverse/forward resolution requirement.

(3) The domain name specified in the envelope-from MUST be resolvable to an MTA that meets the above requirement (1) or be empty.

(4) The SPF checking, if done, MUST NOT fail.

(5) The connecting MTA MUST NOT speak when not spoken to (that is, it MUST NOT not violate the SMTP chat protocol).

If you dump all connections that are do not meet these requirements, you will have eliminated 99% or more of all spam.

DKIM signatures do not really add much at all except prove that the message was sent through a server that could calculate a DKIM signature.  It says nothing about whether the message is SPAM or not.  99% (or more) of all spam will have violated one or more of rules (1) through (5) long before the message contents are accepted so that the signature can be verified.

---
The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.


>-----Original Message-----
>From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Eric Kuhnke
>Sent: Wednesday, 29 November, 2017 11:19
>To: nanog at nanog.org list
>Subject: Re: Incoming SMTP in the year 2017 and absence of DKIM
>
>Anecdotal experience. I'm subscribed to a lot of mailing lists. Some
>pass
>through DKIM correctly. Others re-sign the message with DKIM from
>their own
>server.
>
>>98% of the spam that gets through my filters, which comes from an IP
>not
>in any of the major RBLs, has no DKIM signature for the domain. My
>theory
>is that it does introduce somewhat of a barrier to spam senders
>because
>they are frequently not in control of the mail server (which may be
>some
>ignorant third party's open relay), nor do they have access to the
>zonefile
>for the domain the mail server belongs to for the purpose of adding
>any
>sort of DKIM record.
>
>
>
>On Wed, Nov 29, 2017 at 10:12 AM, Michael Thomas <mike at mtcc.com>
>wrote:
>
>> On 11/29/2017 10:03 AM, valdis.kletnieks at vt.edu wrote:
>>
>>> On Wed, 29 Nov 2017 09:32:27 -0800, Michael Thomas said:
>>>
>>> There are quite a few things you can do to get the mailing list
>>>> traversal rate > 90%, iirc.
>>>>
>>> Only 90% should be considered horribly broken.  Anything that
>makes
>>> it difficult to run a simple mailing list with less that at least
>2 or 3
>>> 9's
>>> is unacceptable.
>>>
>>
>> I've been saying for years that it should be possible to create the
>> concept of DKIM-friendly mailing lists. In such
>> a case, you could have your nines. Until then, the best you can
>hope for
>> is the list re-signing the mail and blaming
>> the list owner instead.
>>
>> Mike
>>
>>






More information about the NANOG mailing list