> You're ignoring my point that you should stop sending [signed] spam email by interpreting it as "stop signing email".
Yeah, if only we had a 100% accurate way to tell spam/ham for every single message. > These emails were DKIM signed by the sender; except for the ones with > additional unsigned headers the signature has not been hijacked. The > sender has DKIM signed a spam email. Oversigning is supposed to break the additional unsigned headers. > If you are unwilling to moderate spam email from new accounts before > DKIM signing their email with your own domain then I suggest you use a > separate DKIM selector for each of them so that you can revoke them > quickly. This does not require additional keys because the selector name > is covered by the signature. That's a good idea, thanks. We're looking into how to implement that on our side. [image: Sender] Edgar Vaitkevičius, founder / CEO ed...@sender.net On Wed, Mar 2, 2022 at 8:57 PM Simon Arlott via mailop <mailop@mailop.org> wrote: > On 02/03/2022 18:09, Edgaras | SENDER wrote: > >> No, that's quite clearly not literally true. Stop DKIM signing the spam > > email and the problem goes away. > > Yep, and go directly against all the best email practices, guidelines and > > so on. > > You're ignoring my point that you should stop sending [signed] spam > email by interpreting it as "stop signing email". > > >> You may not like it but Google is implementing DMARC correctly if the > > DKIM signature is still valid. > > The point is not their implementation of DMARC. It's how they handle > > messages from obvious spam sources, which funnily enough don't satisfy > any > > of their own guidelines https://support.google.com/mail/answer/81126, > > except for a hijacked DKIM signature. > > These emails were DKIM signed by the sender; except for the ones with > additional unsigned headers the signature has not been hijacked. The > sender has DKIM signed a spam email. > > If you are unwilling to moderate spam email from new accounts before > DKIM signing their email with your own domain then I suggest you use a > separate DKIM selector for each of them so that you can revoke them > quickly. This does not require additional keys because the selector name > is covered by the signature. > > DKIM selectors can include "." so you can even use a wildcard DNS record > for them and only add a non-wildcard record for the ones you need to > revoke. A short TTL will be necessary but you would only need to do that > for the subset of selectors used for email that could be spam. > > -- > Simon Arlott > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
