On Wed, 2017-11-29 at 12:24 -0500, William Herrin wrote:
Alright, so "horribly broken design" overstates the case but there are enough problems that weighting the absence of DKIM at something other than zero will surely do more harm than good.
+1. A DKIM signature by itself means nothing more than someone had the ability to configure DKIM on an email server. The signing domain (d=) is what matters as the signer needs access to the zone in order to be able to publish the key, which may be interpreted as an indication of trust. DMARC requires the signing domain to be either exactly the same or share the same organisational unit with the From address for this reason. Even without DMARC, a receiver *could*, depending on the signing domain, choose to interpret it as a positive signal. This is marginally better than treating any DKIM signature or the absence thereof as a signal of any kind. Personally, unless an author domain is publishing a DMARC policy of reject or quarantine, I don't think recipients should be scoring based on DKIM at all, perhaps with the exception of signing with a revoked key. Ken. -- Ken O'Driscoll / We Monitor Email t: +353 1 254 9400 | w: www.wemonitoremail.com Need to understand deliverability? Now there's a book: www.wemonitoremail.com/book