-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Thu, 2018-08-02 at 14:49 -0400, Bill Cole wrote: > The 'd=' domains don't use DNSSEC. This means that the immediate > validity of the signature at delivery time is dependent on trusting a > key which may be spoofed. The DKIM TXT record has a TTL of one day, so > it is hard to be certain whether the signer today is the same entity > as the signer tomorrow.
If you only trust DKIM signatures from DNSSEC domains, then you can only enforce DMARC p=reject for a trivially small number of domains. The largest providers that I have seen with DMARC p=reject are aol.* and yahoo.*, none of which use DNSSEC. We reject a lot of spam based on their p=reject setting. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEAREKAAYFAltkqSsACgkQL6j7milTFsHOsgCeJP2N2pgoVZOvVVZXsmt7wkrb rRYAoIKj8n+pmpetUtiVS2qwV4YHlekt =kajG -----END PGP SIGNATURE----- _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop