In which case neither will they be RFC compliant. (1) The "inaddr-arpa" ptr from the incoming connection, when resolved, MUST result in a set of IP Addresses which includes the original IP Address. (2) The "name" specified in the HELO/EHLO MUST resolve to an MTA that meets the above reverse/forward resolution requirement. (3) The domain name specified in the envelope-from MUST be resolvable to an MTA that meets the above requirement (1) or be empty. (4) The SPF checking, if done, MUST NOT fail. (5) The connecting MTA MUST NOT speak when not spoken to (that is, it MUST NOT not violate the SMTP chat protocol). If you dump all connections that are do not meet these requirements, you will have eliminated 99% or more of all spam. DKIM signatures do not really add much at all except prove that the message was sent through a server that could calculate a DKIM signature. It says nothing about whether the message is SPAM or not. 99% (or more) of all spam will have violated one or more of rules (1) through (5) long before the message contents are accepted so that the signature can be verified. --- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
-----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Eric Kuhnke Sent: Wednesday, 29 November, 2017 11:19 To: nanog@nanog.org list Subject: Re: Incoming SMTP in the year 2017 and absence of DKIM
Anecdotal experience. I'm subscribed to a lot of mailing lists. Some pass through DKIM correctly. Others re-sign the message with DKIM from their own server.
98% of the spam that gets through my filters, which comes from an IP not in any of the major RBLs, has no DKIM signature for the domain. My theory is that it does introduce somewhat of a barrier to spam senders because they are frequently not in control of the mail server (which may be some ignorant third party's open relay), nor do they have access to the zonefile for the domain the mail server belongs to for the purpose of adding any sort of DKIM record.
On Wed, Nov 29, 2017 at 10:12 AM, Michael Thomas <mike@mtcc.com> wrote:
On 11/29/2017 10:03 AM, valdis.kletnieks@vt.edu wrote:
On Wed, 29 Nov 2017 09:32:27 -0800, Michael Thomas said:
There are quite a few things you can do to get the mailing list
traversal rate > 90%, iirc.
Only 90% should be considered horribly broken. Anything that makes it difficult to run a simple mailing list with less that at least 2 or 3 9's is unacceptable.
I've been saying for years that it should be possible to create the concept of DKIM-friendly mailing lists. In such a case, you could have your nines. Until then, the best you can hope for is the list re-signing the mail and blaming the list owner instead.
Mike