Re: Incoming SMTP in the year 2017 and absence of DKIM

[Blake Hudson <blake () ispn net>]

Eric Kuhnke wrote on 11/29/2017 11:03 AM:
> For those who operate public facing SMTPd that receive a large volume of
> incoming traffic, and accordingly, a lot of spam...
>
> How much weight do you put on an incoming message, in terms of adding
> additional score towards a possible value of spam, for total absence of
> DKIM signature?

Spammers can:
    A) Establish domains that use SPF and DKIM as well as anyone else
    B) Use the stolen credentials of legitimate accounts on legitimate 
servers to relay SPAM messages.

So the presence of SPF/DKIM does not reliably indicate whether the 
message is spam or not - only that the sender is "authenticated". The 
lack of optional tech like SPF and DKIM might be used as a heuristic, 
but it's not reliable enough to use in practice in my opinion. I 
wouldn't quarantine or reject messages that are missing these optional 
technology because the take rate isn't high enough.

Where DKIM/SPF really help is when there's a failure that indicates a 
message has been spoofed. This is a good indication of phishing and is a 
justified reason to reject or quarantine a message in the interest of 
your employees or subscribers. Sometimes these will be config errors, 
but I feel confident telling the sender to take config issues up with 
their service provider.