RE: Incoming SMTP in the year 2017 and absence of DKIM

["Keith Medcalf" <kmedcalf () dessus com>]

In which case neither will they be RFC compliant.

(1) The "inaddr-arpa" ptr from the incoming connection, when resolved, MUST result in a set of IP Addresses which 
includes the original IP Address.

(2) The "name" specified in the HELO/EHLO MUST resolve to an MTA that meets the above reverse/forward resolution 
requirement.

(3) The domain name specified in the envelope-from MUST be resolvable to an MTA that meets the above requirement (1) or 
be empty.

(4) The SPF checking, if done, MUST NOT fail.

(5) The connecting MTA MUST NOT speak when not spoken to (that is, it MUST NOT not violate the SMTP chat protocol).

If you dump all connections that are do not meet these requirements, you will have eliminated 99% or more of all spam.

DKIM signatures do not really add much at all except prove that the message was sent through a server that could 
calculate a DKIM signature.  It says nothing about whether the message is SPAM or not.  99% (or more) of all spam will 
have violated one or more of rules (1) through (5) long before the message contents are accepted so that the signature 
can be verified.

---
The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.


> -----Original Message-----
> From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Eric Kuhnke
> Sent: Wednesday, 29 November, 2017 11:19
> To: nanog () nanog org list
> Subject: Re: Incoming SMTP in the year 2017 and absence of DKIM
>
> Anecdotal experience. I'm subscribed to a lot of mailing lists. Some
> pass
> through DKIM correctly. Others re-sign the message with DKIM from
> their own
> server.
>
> > 98% of the spam that gets through my filters, which comes from an IP
> not
> in any of the major RBLs, has no DKIM signature for the domain. My
> theory
> is that it does introduce somewhat of a barrier to spam senders
> because
> they are frequently not in control of the mail server (which may be
> some
> ignorant third party's open relay), nor do they have access to the
> zonefile
> for the domain the mail server belongs to for the purpose of adding
> any
> sort of DKIM record.
>
>
>
> On Wed, Nov 29, 2017 at 10:12 AM, Michael Thomas <mike () mtcc com>
> wrote:
>
> > On 11/29/2017 10:03 AM, valdis.kletnieks () vt edu wrote:
> >
> > > On Wed, 29 Nov 2017 09:32:27 -0800, Michael Thomas said:
> > >
> > > There are quite a few things you can do to get the mailing list
> > > > traversal rate > 90%, iirc.
> > > Only 90% should be considered horribly broken.  Anything that
> makes
> > > it difficult to run a simple mailing list with less that at least
> 2 or 3
> > > 9's
> > > is unacceptable.
> >
> > I've been saying for years that it should be possible to create the
> > concept of DKIM-friendly mailing lists. In such
> > a case, you could have your nines. Until then, the best you can
> hope for
> > is the list re-signing the mail and blaming
> > the list owner instead.
> >
> > Mike