Kurt and all, Here are some statistics my company has on DKIM over the last 30 days. (Note: We are a DMARC report aggregator and analytics company so these stats cover all of the DMARC reports received for thousands of domains.)
% of all messages signed by DKIM = 97.79% % of signed messages which pass DKIM = 99.57% sample size = over 100 billion messages Of course we are aggregating reports for organizations implementing DMARC, so the percentage of messages signed may be skewed. But it is clear that of the messages which are signed, the percentage which pass is drastically different than the numbers you see. I think the data supports some issue on your side with the DKIM evaluation, whether it be an email gateway modifying signed message content before your server or something else. We also see that domains with a good implementations of SPF and DKIM consistently see DMARC pass rates in excess of 99.99% of their legitimate messages. Roland gave an excellent explanation of the reason for the alignment requirement the DMARC specifies. One point in his reply I will disagree on though is that domains without a current spoofing problem should not implement a DMARC quarantine or reject policy. This thing about spoofing is that one never knows when one will become a victim. We often see domains that go periods of time without a spoofing issue and then are hit hard on one day. If the your domain has excellent SPF and DKIM with a high overall DMARC pass rate, you have fully analyzed your DMARC reports to understand the risk of failures due to mailing lists or forwarding, and everything looks good then why not protect yourself from future attacks with a DMARC quarantine or reject? Thanks, Mike On Thu, Jan 30, 2014 at 7:17 PM, Murray S. Kucherawy <superu...@gmail.com>wrote: > On Thu, Jan 30, 2014 at 4:17 PM, Kurt Roeckx <k...@roeckx.be> wrote: > >> It's my understanding that in general about 90% of the DKIM mails >> have a bad signature. >> > > This seems to contradict the experience of most other operators. I'm at a > loss to understand why this is out of bounds for this conversation. > > It's also my understanding that were DKIM >> tends to fail, SPF tends to work and the other way around. >> >> > This part is consistent with most operator experience as I understand it. > > >> But >> DMARC seems to combining the two in such a way it's more than >> likely to have a failure as result instead of a pass. >> > > In what way? Specifically, why "more than likely"? That's certainly true > in your particular case where DKIM has such a low success rate, but there > is ample anecdotal evidence that it is a sound premise most everywhere else. > > >> >> Why I'm seeing 90% failure in DKIM instead of 10% is irrelevant. >> >> > I find that rather an unfortunate position, especially since it interferes > with our ability to answer your questions. > > -MSK > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc > >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
