On 27 Mar 2013, at 19:28, Yuri D'Elia <wavexx@???> wrote:
> I'm trying hard to see any positive effect of DKIM right now.
>
> I've been tagging emails for some time with different strategies, but I cannot get any SNR out of it. Most of the time I got broken signatures was from legitimate (but incorrectly configured) systems.
>
> I'm wondering if any of you have any numbers on DKIM usefulness for anything? I've been running some tests on a couple of low volume servers, and I really have no correlation of dkim failures to anything except bad configuration or transient errors.
I think the trick is to combine it with SPF. A mailing list isn't really forwarding: it's sending a new message, even though the content is largely the same. If the list domain publishes SPF records, then the message should still pass an SPF test. Oh, and it should ideally add a DKIM signature, too.
So, in an ideal world where everyone publishes SPF, and everyone DKIM signs, legitimate messages should have an SPF pass and a good DKIM signature. And, one day, it'll be safe to reject messages that pass neither of those tests.
Of course, passing the tests doesn't mean that you've got a reputable sender. It just means that you know who the sender is. But that means that you can apply domain based reputation tests, instead of IP based reputation tests. And that makes whitelisting (a) safe, and (b) feasible.
--
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148