On 02/03/2022 18:09, Edgaras | SENDER wrote: >> No, that's quite clearly not literally true. Stop DKIM signing the spam > email and the problem goes away. > Yep, and go directly against all the best email practices, guidelines and > so on.
You're ignoring my point that you should stop sending [signed] spam email by interpreting it as "stop signing email". >> You may not like it but Google is implementing DMARC correctly if the > DKIM signature is still valid. > The point is not their implementation of DMARC. It's how they handle > messages from obvious spam sources, which funnily enough don't satisfy any > of their own guidelines https://support.google.com/mail/answer/81126, > except for a hijacked DKIM signature. These emails were DKIM signed by the sender; except for the ones with additional unsigned headers the signature has not been hijacked. The sender has DKIM signed a spam email. If you are unwilling to moderate spam email from new accounts before DKIM signing their email with your own domain then I suggest you use a separate DKIM selector for each of them so that you can revoke them quickly. This does not require additional keys because the selector name is covered by the signature. DKIM selectors can include "." so you can even use a wildcard DNS record for them and only add a non-wildcard record for the ones you need to revoke. A short TTL will be necessary but you would only need to do that for the subset of selectors used for email that could be spam. -- Simon Arlott _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
