On 2/17/2016 2:47 PM, Vernon Fort wrote: > I’m not sure where to ask this question so I hope postfix is ok. > When a receiving email server is checking DKIM signatures, does it > only check IF the signature is present in the message header. Or > does it always check for a DNS record for the domain and then check > the email message for a valid signature? >
Your unsigned messages won't (shouldn't?) be affected as long as you don't publish a DMARC policy indicating that all mail must be signed. I suppose you could publish a DMARC policy indicating DKIM is optional to make that explicit, but that shouldn't be necessary. https://dmarc.org On the other hand, now is a good time to enable signing of all your mail. > > > I was tasked with a last minute request to add Domainkey records in > our DNS for a marketing service. They (sales people) decided to use > our normal domain so I am trying to find out if our normal emails > coming out will be rejected because we have NO signature in the > message but do have DKIM records in our DNS zone. > Note Domainkeys is a predecessor of DKIM, which is now unused, and using that name can cause confusion. If someone says you need to enable Domainkeys, just translate that to DKIM in your head. It appears the mail you sent to the list is already DKIM signed by your mail service. Good. That's not a problem either since the DKIM header always indicates a selector (or DNS record) to be used for verifying, and a domain can have multiple selectors. -- Noel Jones
