On Wed, Jul 14, 2021 at 01:48:21AM +0300, Kevin N. wrote:
> > It is a really bad idea to reject messages whose DKIM signature is invalid.
> > DO NOT DO THIS.
>
> Why exactly is it a really bad idea :) ?
> Could you give us some more practical details/examples?
The point is that absent DMARC policy that promises DKIM signatures
aligned with the RFC2822.From domain, there is no sane threat model in
which rejecting invalid DKIM signatures yields any security benefit.
An attacker (spammer if you like), can always sign the mail with some
throw-away domain, or not sign it at all.
So a failed DKIM signature conveys nothing other than perhaps an
operator error on the legitimate sending system, or an unexpected
message transformation in transit.
No spammer wastes bandwidth sending messages with broken DKIM
signatures, they either sign correctly, or don't sign at all.
> In my opinion if a signature is present is should be valid. Always.
> Otherwise it loses it's whole purpose.
You can certainly take a pedantic view, that's contrary to the DKIM
RFCs and common sense, there's no Internet police to stop you. Just
keep in mind that rejecting failed DKIM signatures has no security
benefit.
Spammers are often early adopters of various email security standards.
On some receiving systems there's a positive correlation between a
message having a valid DKIM signature and the message being spam!
> I wold even go so far as to require DKIM signatures from everybody. But
> unfortunately that is not quite possible since there are still many who,
> for various reasons, can't provide a DKIM signature at all :) .
Your network, your rules. I am just trying to give rational advice.
--
Viktor.
