29

Is it OK if I sign a subset of domain emails, or is this an all-or-nothing game?

We use Amazon's Simple-Email-Service for sending e-commerce emails.

We would like to sign these with DKIM.

This same domain is also used for all email addresses for the corporation behind this e-commerce operation.

Due to some IT constraints, it does not look like we'll be able to sign the employee emails for many months to come.

Do spam protection servers look at the domain and see a DKIM public key and say, "OK, all emails must be signed", or do they look email-by-email and, if a signature is found, then they go looking for the public key?

Tony Meyer
  • 927
  • 7
  • 10
Brian Webster
  • 293
  • 1
  • 3
  • 11
  • 2
    Without directly knowing the answer to this question, you could always use a simple workaround: make Amazon SES send mail from something@e.yourdomain.com, and then only use DKIM on e.yourdomain.com. –  Apr 26 '12 at 21:42

3 Answers3

28

DKIM doesn't tell you anything about whether a message is spam or not (although it's a bit more work to set up, there's plenty of spam that is signed with a valid DKIM signature). DKIM is all about identity - do I know that this message is from the specified sender (and that it hasn't been altered in any meaningful way)?

No good anti-spam service will reject a message solely based on a lack of a DKIM signature. If there is an invalid signature, then that's something to consider (i.e. maybe this is phishing); however, it's risky to reject in this case (because signatures can get broken in transit), and most anti-spam filters will not do that (at least by default).

The use of DKIM (without anything else) is to allow the mail client to indicate to the user that the message sender is verified (much as browsers indicate to the user that traffic is sent over SSL, or that a certificate is trusted).

So, the simple answer is yes, it is useful to sign messages, even if you cannot sign them all. You can't tell your users that they should only trust messages that are signed, but they can at least trust some of them. (Unfortunately, not a lot of mail clients yet expose this information, and users aren't yet trained to look for it, so the benefits aren't large - yet).

The simple answer to the second question is no, any decent spam filter will ignore the lack of a DKIM signature.

Further to this, there are two ways you can extend your use of DKIM, that do have an impact when only some messages are signed.

Author Domain Signing Practices (ADSP) is an optional extension to DKIM where you specify what should happen to unsigned messages. Specifically, you can select from three choices:

  • unknown (this the behaviour you get if you don't use ADSP) - the domain signs some or all mail (or none, I suppose, although it would be then odd to have the record set up)
  • all - the domain signs all mail. The recipient (or their anti-spam filter) gets to choose what to do with messages that don't have a valid signature; commonly these would be put into some sort of quarantine or flagged in some way so that the user is aware that they are probably fraudulent.
  • discardable - the domain signs all mail, and is instructing the recipient (or their anti-spam filter) to silently discard any messages that don't have a valid signature. This is the same as "all", except that the sender, rather than the recipient, makes the decision about what to do with messages without a valid signature. Anti-spam (or anti-phishing, in this case) filters don't have to obey an ADSP instruction, but they are likely to.

So right now, you should either ensure that you don't have an ADSP record, or that if you do it is set to "unknown". Once you are able to sign all messages, you could move to "all" or "discardable", depending on what behaviour you would like.

Similar (but newer) to ADSP is Domain-based Message Authentication, Reporting & Conformance (DMARC). DMARC incorporates policies for both SPF failures and DKIM failures, and incorporates information about providing feedback (to the supposed sender domain) about failures. You've got basically the same choices as with ADSP, but more flexibility about how to work. The example the specification provides as to how you'd start using DKIM/SPF is roughly this:

  1. Deploy DKIM and SPF.
  2. Publish a DMARC policy of "none" with a feedback reporting address (this is like ADSP's "unknown", except that you also state that you want feedback about failures, so if they are really from you, you can figure out how to fix the problem).
  3. Tune your DKIM/SPF use until the feedback reports indicate that all your mail is appropriately authenticated.
  4. Increase the DMARC policy strength to "quarantine" for a small percentage (this instructs the receiver to quarantine any messages that don't meet the policy, but only for a randomly selected percentage of mail).
  5. Gradually increase the percentage (to 100%) as you get more confident that all mail is appropriately authenticated.
  6. Set a DMARC policy of "reject" (again with a small percentage to start with, building over time to 100%), so that rather than quarantining, messages that don't meet the policy are simply rejected.

DMARC is new, so only a few anti-spam filters are using it at present, but that will (probably) increase over time, and there's little cost in adopting it now.

If you choose to use DMARC, then right now you could get to step 2, and then continue through the steps as you manage to get all mail signed.

Tony Meyer
  • 927
  • 7
  • 10
  • 1
    Thanks for this detailed answer. If you're still around, I was wondering whether you'd be willing to update it (or state that it's still current) given it has now been almost 5 years? – Tim Malone Mar 16 '17 at 02:41
  • From what I've read, I think the ADSP part would be removed now that DMARC is the standard – mikato Mar 08 '18 at 16:47
  • From the DKIM perspective, are "unsigned" messages also considered a failure? – LatinSuD Feb 16 '21 at 13:09
3

I don't think there's a definite answer to this question. There are so many spam filters and they all work differently, so it's hard to predict how they would treat this condition.

My gut feeling is that you're definitely increasing the chances of your corporate mail getting blocked if your DNS indicates that it supports DKIM, yet the message does not bear any DKIM signatures. For example, Gmail appear to check this for ebay and paypal. This is however a rather specific case, and I can't imagine that Google can apply this to any domain, given that not all domains can guarantee all emails are DKIM signed.

RFC 4870 states that the signing domain (you) can specify an Outbound Signing Policy for your emails via DNS, specifically:

o = Outbound Signing policy ("-" means that this domain signs all email; "~" is the default and means that this domain may sign some email with DomainKeys).

So in theory, spam filters should honour this, if you specify that not all emails are signed.

However, this RFC has been superseded by RFC 4871 - in which I couldn't find a similar section...

I think this just illustrates how vague the situation might be, and how one spam filter might decide to take completely different actions from another...

Yoav Aner
  • 5,359
  • 3
  • 26
  • 37
  • Other than ADSP and DMARC, there are "backchannel" discussions among mail providers and companies that provide filtering services, and so it's fairly simple to arrange the same outcomes outside of ADSP/DMARC if necessary (if you're part of this industry, then you probably know someone that can invite you into these discussions). That doesn't scale as well as ADSP/DMARC, of course (and for the case of PayPal, owned by eBay, there is an ADSP "discardable" record). – Tony Meyer May 01 '12 at 00:45
  • 1
    RFC 4870 is "DomainKeys", which is completely deprecated now, in favour of DKIM (which is not the same thing: it's a merger of DomainKeys and Identified Internet Mail). The signing policy parts for DKIM are in RFC 5617 (ADSP). – Tony Meyer May 01 '12 at 00:47
  • Thanks @TonyMeyer. I think this just illustrates my point. There is so much stuff out there, and it's so confusing, it's really hard to know what a spam filter author chooses to implement and what interpretations they might apply to (the existence or lack of) DKIM signatures. – Yoav Aner May 01 '12 at 08:48
  • For the little filters or the DIY ones, sure. Anyone that works on a filter that handles any significant volume of mail will deal with this properly (which means not discarding unsigned mail, unless there is a policy that requests that behaviour). Developers of filters play close attention to what's required, and also communicate a lot with each other. – Tony Meyer May 02 '12 at 10:50
  • I wasn't suggesting that filters necessarily discard unsigned email, that's highly unlikely. But since most filters calculate some score based on multiple factors, it's entirely possible, and in my opinion even likely that it negatively impacts an email's score if the domain specified a DKIM key yet the email isn't signed. At least with some filters, or based on how they might be configured. – Yoav Aner May 02 '12 at 12:38
  • In my experience (as a filter developer, who regularly communicates with other filter developers and mail providers), that is not true. – Tony Meyer May 02 '12 at 23:07
  • That's good to know. You are obviously an expert in this area, which I am not. With my limited experience however, I have seen some weird stuff being applied by sysadmins or perhaps certain filters, some times appearing to be in clear violation of what certain RFCs specify. – Yoav Aner May 03 '12 at 06:59
2

As Tony mentioned, using DKIM on all emails for a domain becomes important when you want to implement DMARC. In the time that he answered your question DMARC has become much more relevant, with both Yahoo and AOL setting Reject policies for their domains. The major ISPs (Google, Yahoo, Comcast, etc) all support DMARC now as well.

The problem with DMARC is understanding your sending sources that do not align with SPF and DKIM. We just released a free labs project to help with this at http://dmarc.postmarkapp.com. It's really interesting to see how many sources send email on your domain's behalf.

So with DMARC gaining fast adoption, the clear answer is "Yes, it is bad to only sign some messages for a domain."

cnagele
  • 21
  • 2
  • Interesting @cnagele. I never heard of DMARC before. BTW, does that DMARC report service requires to have both SPF and DKIM records to send those reports? I have been using SPF on one domain but I am planning to outsource part of the transactional email delivery to a third party service. Still my own mail server does not use DKIM. So I am concerned DMARC reports may not work in this case. What do you think? – mlemos Apr 20 '15 at 06:53
  • Not really, because DMARC passes if only one of SPF or DKIM pass. So you can get away with partial signing coverage if you have SPF in place too. – SilverlightFox Apr 06 '16 at 13:58