Matus UHLAR - fantomas <uh...@fantomas.sk> writes: > On 02.05.23 08:37, Thomas Johnson wrote: >> If there’s no dkim signature, you can’t check for dkim records in >> dns. The selector for a dkim signature is arbitrary - there’s no >> one dns lookup you can do to see all possible dkim records for a >> domain. > > a trick: if _domainkeys.example.com exists (returns anything but > NXDOMAIN), we may assume that at least DKIM records exist. > > I just have no idea how to test this in SA (at least not within rule).
I think that's a great idea, and we could add DKIM_MISSING Domain has DKIM records but message has no DKIM signature with maybe +3 to start, as a sort-of-soft-impliced-DMARC. (surely this is doable in a plugin; it's not conceptually hard)