A broken DKIM signature is indistinguishable from a lack of a signature header. It's possible that as a heuristic you might be able to divine something from lack of signature and the existence of selectors for a domain, but afaik there isn't an easy way to query for all of the dkim selectors for a domain, and even if there were it would be a pretty sketchy heuristic, is my bet. Mike On 11/29/2017 10:18 AM, Eric Kuhnke wrote:
Anecdotal experience. I'm subscribed to a lot of mailing lists. Some pass through DKIM correctly. Others re-sign the message with DKIM from their own server.
98% of the spam that gets through my filters, which comes from an IP not in any of the major RBLs, has no DKIM signature for the domain. My theory is that it does introduce somewhat of a barrier to spam senders because they are frequently not in control of the mail server (which may be some ignorant third party's open relay), nor do they have access to the zonefile for the domain the mail server belongs to for the purpose of adding any sort of DKIM record.
On Wed, Nov 29, 2017 at 10:12 AM, Michael Thomas <mike@mtcc.com> wrote:
On 11/29/2017 10:03 AM, valdis.kletnieks@vt.edu wrote:
On Wed, 29 Nov 2017 09:32:27 -0800, Michael Thomas said:
There are quite a few things you can do to get the mailing list
traversal rate > 90%, iirc.
Only 90% should be considered horribly broken. Anything that makes it difficult to run a simple mailing list with less that at least 2 or 3 9's is unacceptable.
I've been saying for years that it should be possible to create the concept of DKIM-friendly mailing lists. In such a case, you could have your nines. Until then, the best you can hope for is the list re-signing the mail and blaming the list owner instead.
Mike