On 5/2/2023 1:02 PM, Bill Cole wrote:
That is a terrible idea. There are perfectly good reasons for a domain
to only sign some mail. Justifying a +3 score on something which is
only wrong *IN YOUR HEAD* is hard.
ADSP and DMARC both exist apart from DKIM. It is an entirely valid
choice to NOT use them.
Yes, Bill is a voice of reason. There ARE good reasons to only sign
some mail. Example use case:
-----
I use SPF/DMARC everywhere. Emails from our servers do not have DKIM
signatures. All is good and management is easy.
However, I have several clients that use ESP contact managers, like
ConstantContact. Constant Contact provides a couple of CNAME records to
use for their signing records. All is good and management continues to
be easy. Everybody is happy. Deliverability is 100%.
-----
Validate a DKIM record IF it exists in an Email. Honor DMARC policies
as you wish. But IMHO, it is probably not a good idea to go looking for
trouble that doesn't exist.
-- Jared Hall