Eric Kuhnke wrote on 11/29/2017 11:03 AM:
For those who operate public facing SMTPd that receive a large volume of incoming traffic, and accordingly, a lot of spam...
How much weight do you put on an incoming message, in terms of adding additional score towards a possible value of spam, for total absence of DKIM signature?
Spammers can: A) Establish domains that use SPF and DKIM as well as anyone else B) Use the stolen credentials of legitimate accounts on legitimate servers to relay SPAM messages. So the presence of SPF/DKIM does not reliably indicate whether the message is spam or not - only that the sender is "authenticated". The lack of optional tech like SPF and DKIM might be used as a heuristic, but it's not reliable enough to use in practice in my opinion. I wouldn't quarantine or reject messages that are missing these optional technology because the take rate isn't high enough. Where DKIM/SPF really help is when there's a failure that indicates a message has been spoofed. This is a good indication of phishing and is a justified reason to reject or quarantine a message in the interest of your employees or subscribers. Sometimes these will be config errors, but I feel confident telling the sender to take config issues up with their service provider.