> On May 2, 2023, at 8:27 AM, Philip Prindeville > <philipp_s...@redfish-solutions.com> wrote: > > Is there a way to add scoring that says, "If the sending domain has DKIM > records, but there's no DKIM signature on this message, then attach a high > score to it?" > > We seem to attach negative scores when DKIM is present and valid, but what > about the opposite direction? > > If it's absent, but it shouldn't be? >
If there’s no dkim signature, you can’t check for dkim records in dns. The selector for a dkim signature is arbitrary - there’s no one dns lookup you can do to see all possible dkim records for a domain. You can use ADSP - it’s old and I don’t know how many domains have ADSP records these days, but it lets a domain specify that all mail must be dkim signed to be considered valid. We tell our customers to add an ADSP record, and we use it when checking their incoming mail to help identify forgeries. I don’t know that it helps much with mail from non-customers, though. I’ll have to check and see how often our rules hit for that.
