On 2023-05-02 at 12:29:53 UTC-0400 (Tue, 02 May 2023 12:29:53 -0400)
Greg Troxel <g...@lexort.com>
is rumored to have said:
Matus UHLAR - fantomas <uh...@fantomas.sk> writes:
On 02.05.23 08:37, Thomas Johnson wrote:
If there’s no dkim signature, you can’t check for dkim records
in
dns. The selector for a dkim signature is arbitrary - there’s no
one dns lookup you can do to see all possible dkim records for a
domain.
a trick: if _domainkeys.example.com exists (returns anything but
NXDOMAIN), we may assume that at least DKIM records exist.
I just have no idea how to test this in SA (at least not within
rule).
I think that's a great idea, and we could add
DKIM_MISSING Domain has DKIM records but message has no DKIM signature
with maybe +3 to start, as a sort-of-soft-impliced-DMARC.
That is a terrible idea. There are perfectly good reasons for a domain
to only sign some mail. Justifying a +3 score on something which is only
wrong *IN YOUR HEAD* is hard.
ADSP and DMARC both exist apart from DKIM. It is an entirely valid
choice to NOT use them.
(surely this is doable in a plugin; it's not conceptually hard)
Feel free to implement it on your own and report back the results.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire