[Rspamd-Users] Reject inbound that fail DKIM

[G.W. Haywood]

Hi Fred,

On Wed, 24 May 2023, Fred Zinsli via Users wrote:

> Been attempting to research this for some time, however my lack of
> knowledge has got the better of me.
>
> I want to reject all inbound emails that don't have (fail) DKIM.

There are often perfectly good reasons why a DKIM signature might fail
(for example, check this message:).  Rejecting messages on this basis
will probably serve you badly in the long term and I don't recommend
that you do it.  For the rationale please read RFC6376, especially
section 6.  In any case there are more effective, and more efficient,
ways of eliminating spam than by relying on DKIM - of course assuming
that eliminating spam is what you're trying to do.

While in principle DKIM is not in fact especially difficult, it is
significantly more complex than SPF, which seems to make it difficult
for many people.  When I last looked (around the end of 2016) at the
global state of SPF records, around 30% of the (tens of millions of)
SPF records I encountered were junk.  I deduced that even SPF was too
difficult the layman.  Now, admittedly with a much smaller sample I'm
seeing with DKIM pretty much what I was seeing then with SPF, but the
problems seem to be more deeply rooted.

My feeling in 2016 was that if there was one group of people who were
best at SPF it was the spammers, and I guessed that this was because
their livelihoods are entirely dependent on their messages not being
rejected.  It seems to me that a similar story is playing out once
again now, but with DKIM replacing SPF as the technological hurdle.

-- 

73,
Ged.