On Thu, 2 Aug 2018 at 14:54, Bill Cole <mailop-20160...@billmail.scconsult.com> wrote: > What I actually do not understand is why anyone (like BOTH of these > senders) is bothering to DKIM-sign mail in ways that CANNOT align for > DMARC and don't even match any domain in any header other than a > signature. e.g.:
Providers are actively monitoring/building domain reputation based on DKIM signatures, even if there is no alignment (alignment is a concept that doesn't even exists in DKIM.. it is a DMARC stuff). Some provider sends you FBL only if you DKIM sign emails (and they don't care about alignment, because it is not a DKIM stuff). So, one may care about DKIM even if they don't care about DMARC. Alignment is a DMARC stuff. DMARC is newer than DKIM and DKIM didn't require alignment for a reason. If you want GPT or Yahoo FBLs for an email flow sent by SMTP servers under your control but where you can't control the thousands of different "From:" used, then you DKIM sign using your own domain and happily get access to GPT and Yahoo FBLs: isn't this a good reason to do that? (you are not in the position to refuse sending those emails, you can only choose to add a signature or not). In our case our main DKIM-signature for any email sent by our servers always matches the return-path domain, the HELO and the FCrDNS. It often doesn't match the MIME From, so it doesn't align. When we can do it we add a second signature aligned to the From, but we can't do that for every email. Domain owner today can use DMARC to enforce alignment, but it is their option. Receivers can ignore non-aligned DKIM signatures (no one force them to read them). If you ignore DMARC there is not so much difference in "transparency" or "inscrutability" between a Sender: "ME" <me@yourdomain> From: "ME" <me@anotherdomain> DKIM: d=yourdomain Compared to From: "ME" <me@yourdomain> Reply-to: "ME" <me@anotherdomain> DKIM: d=yourdomain The first is not aligned, the second one is aligned.. when DMARC is enforced people moves from the first to the second.. but there is not so much difference in the way most users will read the 2 emails. So I don't think there's a big "logical reason" they should be handled so differently with regard to spamminess. In both case you may want to assign a reputation to the sender IP and to the signing domain and use them in your spam-scoring. Stefano _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop