On 11/29/2017 01:17 PM, Michael Thomas wrote:
Remember: if you treat a broken signature better than lack of signature, spammers will just insert phony signatures to game you.
So they really are the same.
Yes, they are /effectively/ the same. However it is possible to distinguish between a broken DKIM signature and the lack of a DKIM signature. What you do with that information is up to you. - Guidelines suggest that you treat them the same. (Thus them being /effectively/ the same.)
The real problem with large enterprise that we found, however, is that it was really hard to track down every 25 year old 386 sitting in dusty corners that was sending mail directly instead of through corpro servers to make certain that everything was signed that should be signed. Maybe that's gotten better in the last 15 years, but I'm not too hopeful.
I hear you, and I don't disagree with your sentiments about the difficult of the matter. However, I find it highly suspect that such systems ancient are still in use. There may very well be replacements for said systems that are < 20 years old. Either way, they would still run afoul of things like SPF (unless you allow your entire IP space to send email). There are other security / vulnerability implications of such infrastructures. - I'd argue that they are motivation enough to wrangle these rogue systems. -- Grant. . . . unix || die