On Thu, Apr 4, 2024 at 1:23 AM Adam Brenner via NANOG <nanog@nanog.org> wrote: ..
It seems to me that if msn.com is going to include DKIM headers in their outgoing email, they should also publish their DKIM public key. If they are not going to publish their DKIM public key, then they should not include DKIM headers in their outgoing email.
Microsoft can still sign the message, Even if the signature cannot be verified because they have not yet published the Public Key, for whatever reason. That is a partial/incomplete implementation of DKIM then. The Interpretation of the results by Recipients should be the same as if that Message had not been signed at all. And that domain has not published the policy record to indicate messages must be signed. RFC6376 6.3 Interpretation of Results [ Page 50 ] If the email cannot be verified, then it SHOULD be treated the same as all unverified email, regardless of whether or not it looks like it was signed. See Section 8.15 for additional discussion.
Other Microsoft email accounts and services such as hotmail.com and outlook.com publish their DKIM records. Again, it seems msn.com should as well.
-J