On Tue, Jul 13, 2021 at 06:32:17PM -0400, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> Valid DKIM signatures can make it easier to apply greater scrutiny to > messages that lack a positive reputation, without incurring an excessive > false positive rate. But you still need some real evidence that a > message is likely junk before it is rejected. Mere DKIM "failure" isn't > such evidence. > > -- > Viktor. And mere DKIM "success" on its own isn't much evidence of anything either. The other day, I received a surprisingly competent phishing email. All of the sender/reply addresses in the email itself were no-re...@amazon.ca but the DKIM header had: d=rks-cryptomining.com I assume it was validly signed with rks-cryptomining.com's key. But that has nothing to do with the sender email address as seen by the recipient. Not very reassuring. DMARC is supposed to solve that by requiring that the DKIM domain actually matches the sender email address domain. Neither DKIM nor SPF actually do that on their own. DKIM is only concerned with the DKIM domain (I think), and SPF is only concerned with the envelope sender domain. Neither say anything about the From: header which the recipient sees. Even if they did, many recipients probably only see the comment in the From: header, not the address itself. I don't know if DMARC tries to help with that. Note: I might be wrong about some of the above (haven't read the RFCs yet!) but it's what I've read elsewhere. Corrections are always welcome. I'm beginning to think that DKIM headers might be getting added just to improve spam detection scores. Perhaps I'm getting too cynical. :-) amazon.ca's DMARC policy only asks for a report when both DKIM and SPF fail. So maybe they wouldn't even get a report for such emails (not sure, I have to read the RFC). I strongly expect that it would constitute a DMARC+DKIM failure, even if it's a DKIM success. cheers, raf
