Re: Incoming SMTP in the year 2017 and absence of DKIM

[Michael Thomas <mike () mtcc com>]

A broken DKIM signature is indistinguishable from a lack of a signature 
header. It's possible that as a heuristic
you might be able to divine something from lack of signature and the 
existence of selectors for a domain, but
afaik there isn't an easy way to query for all of the dkim selectors for 
a domain, and even if there were it would
be a pretty sketchy heuristic, is my bet.

Mike

On 11/29/2017 10:18 AM, Eric Kuhnke wrote:
> Anecdotal experience. I'm subscribed to a lot of mailing lists. Some pass
> through DKIM correctly. Others re-sign the message with DKIM from their own
> server.
>
> > 98% of the spam that gets through my filters, which comes from an IP not
> in any of the major RBLs, has no DKIM signature for the domain. My theory
> is that it does introduce somewhat of a barrier to spam senders because
> they are frequently not in control of the mail server (which may be some
> ignorant third party's open relay), nor do they have access to the zonefile
> for the domain the mail server belongs to for the purpose of adding any
> sort of DKIM record.
>
>
>
> On Wed, Nov 29, 2017 at 10:12 AM, Michael Thomas <mike () mtcc com> wrote:
>
> > On 11/29/2017 10:03 AM, valdis.kletnieks () vt edu wrote:
> >
> > > On Wed, 29 Nov 2017 09:32:27 -0800, Michael Thomas said:
> > >
> > > There are quite a few things you can do to get the mailing list
> > > > traversal rate > 90%, iirc.
> > > Only 90% should be considered horribly broken.  Anything that makes
> > > it difficult to run a simple mailing list with less that at least 2 or 3
> > > 9's
> > > is unacceptable.
> > I've been saying for years that it should be possible to create the
> > concept of DKIM-friendly mailing lists. In such
> > a case, you could have your nines. Until then, the best you can hope for
> > is the list re-signing the mail and blaming
> > the list owner instead.
> >
> > Mike