On 11/29/2017 11:53 AM, Grant Taylor via NANOG wrote:
On 11/29/2017 11:33 AM, Michael Thomas wrote:
A broken DKIM signature is indistinguishable from a lack of a signature header.
I'll argue that it's possible to distinguish between the two. *However* the DKIM standard states that you should treat a broken DKIM signature the same as no DKIM signature.
Remember: if you treat a broken signature better than lack of signature, spammers will just insert phony signatures to game you. So they really are the same.
Not being able to tell if DKIM is in use has been a long standing annoyance of mine.
That being said, I think it could be trivial to query for DMARC records and deduce things from the existence of the "adkim" option. If it's there and set to reject, then there really should be DKIM-Signature header for the message.
I haven't really kept up with dmarc, but its progenitor ssp could give you that indication, iirc. The real problem with large enterprise that we found, however, is that it was really hard to track down every 25 year old 386 sitting in dusty corners that was sending mail directly instead of through corpro servers to make certain that everything was signed that should be signed. Maybe that's gotten better in the last 15 years, but I'm not too hopeful. Mike