A major reason many ESPs double DKIM sign is because two major providers (Google and Yahoo) will only provide compliance data (FBL in the case of Yahoo and access to Google Postmaster Tools in the case of Google) based on DKIM. While it is possible to have customers (or register for customers), it is time consuming and does mean that truly bad customers can simply remove access to those compliance metrics.
I do know one major ESP that didn’t double DKIM sign and my understanding is that it took more than 6 months to get access to all their customers’ Yahoo FBLs. I don’t know if they cared enough about GPT to set that up. laura > On 21 Apr 2022, at 23:28, Brandon Long via mailop <mailop@mailop.org> wrote: > > Generally speaking, adding a dkim signature to your message adds a "source" > anchor, something that ties a message to other messages. > > For us, this means another reputation in addition to things like IP address, > IP range, ASN, SPF domain. We do rank signatures when there are > multiple ones, ie for whether or not they are "test" signatures, the strength > of the key, and how well it matches the from header domain. > > Whether that helps you or not will depend on the reputation of the DKIM > domain. If I was a third party smtp server, I would only DKIM sign messages > we > a shared domain if I had a reasonable belief that the messages are non-spam. > One could even assign different signatures depending on how spammy > the message is, or how new the customer is, or other metrics (similar to how > one might use separate IP pools for different types of customers). > > If one does have a high value DKIM domain, then one should be very careful > about signing relayed messages. One could imagine only signing > outbound mailing list messages if the inbound message passes spam check and > is authenticated already... don't add auth to something that wasn't > authed, for example. This is doubly true for mail which has a from address > which matches what you're going to sign for, you don't want to relay a forged > message that isn't auth and add auth to it. > > As for receivers, phishing and spam evaluation are similar but not identical, > especially if you're looking for spear phishing. How you use the signals will > vary for those use cases... and an unmatched auth domain is definitely a > lesser signal when it comes to phishing. > > There's also the resurgence of dkim replay spam, which means that > non-matching spf/dkim domains are more likely to be penalized now.. or one > could even > "learn" the IPs for a given dkim domain and "usual" IPs may do better than > "unusual" IPs in that case. > > It's complicated. > > Brandon > > On Wed, Apr 20, 2022 at 7:09 PM Henrik S via mailop <mailop@mailop.org > <mailto:mailop@mailop.org>> wrote: > Hello > > My mail is sent by the third party smtp server, and the dkim signature > is made for the third party domain (for this case, it's pobox.com > <http://pobox.com/>). > > does this DKIM have helps to the authorization of my outgoing messages? > > Thanks > _______________________________________________ > mailop mailing list > mailop@mailop.org <mailto:mailop@mailop.org> > https://list.mailop.org/listinfo/mailop > <https://list.mailop.org/listinfo/mailop> > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop -- The Delivery Experts Laura Atkins Word to the Wise la...@wordtothewise.com Email Delivery Blog: http://wordtothewise.com/blog
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
