> On May 2, 2023, at 9:37 AM, Thomas Johnson <t...@terramar.net> wrote:
>
>
>> On May 2, 2023, at 8:27 AM, Philip Prindeville
>> <philipp_s...@redfish-solutions.com> wrote:
>>
>> Is there a way to add scoring that says, "If the sending domain has DKIM
>> records, but there's no DKIM signature on this message, then attach a high
>> score to it?"
>>
>> We seem to attach negative scores when DKIM is present and valid, but what
>> about the opposite direction?
>>
>> If it's absent, but it shouldn't be?
>>
>
>
> If there’s no dkim signature, you can’t check for dkim records in dns. The
> selector for a dkim signature is arbitrary - there’s no one dns lookup you
> can do to see all possible dkim records for a domain.
>
> You can use ADSP - it’s old and I don’t know how many domains have ADSP
> records these days, but it lets a domain specify that all mail must be dkim
> signed to be considered valid.
>
> We tell our customers to add an ADSP record, and we use it when checking
> their incoming mail to help identify forgeries. I don’t know that it helps
> much with mail from non-customers, though. I’ll have to check and see how
> often our rules hit for that.
>
Right, because you need to grovel out the selector from the DKIM-Signature
line. Groan.
That you can't mark a domain as requiring DKIM at the top-level seems to be a
design flaw in the protocol.