0

Every now and then I browse my spam folder (for science!). Recently (after adding DKIM Verifier plugin to my MUA) I noticed that some e-mails have valid DKIM signature, but the Verifier points out that sender domain and signing domain are different. This got me thinking:

Should e-mails like this be treated as spam unconditionally? Are there any scenarios where such e-mails are legitimate?

madman_xxx
  • 198
  • 6

2 Answers2

3

Should e-mails signed with another domain's DKIM key be treated as spam?

No, absolutely not. The relevant Internet Standard even suggests that there may be so many signatures that are of no value to you, that your verifier might not bother trying all of them.

A Verifier MAY limit the number of signatures it tries, in order to avoid denial-of-service attacks (see Section 8.4 for further discussion).

If you can use any of the (potentially numerous) signatures to extract a signal that the message was likely authorized by the indicated sender (e.g. DMARC), good for you. If one of the signatures clearly links the message with an entity known to you, you can use that as a ham/spam signal.

Otherwise, do not make any assumptions about why a message carries a specific signature - whether you were able to validate it or not. Use the ones that are useful to you, make no judgement about others.

If your MUA is displaying information about signatures without justifying why it showed that information to you, fix your MUA. It should not bother you with signatures - valid or otherwise - that are of no value to you.

A few examples of why a message might be carrying signatures that have no obvious (to you) relationship with the sending domain:

  • A message was re-sent and the forwarding party chose to leave the original signature there - this is more useful if the signature still validates, but it also should not hurt when done unconditionally.
  • The signature only serves to diagnose improper changes made by a relay, where that relay serve many different domains and only on detection of changes only the postmaster of that relay is going to look at that domain
  • A mail service provider that has seen its name added to substantial volume of forget mail is adding a signature to allow partners to more easily determine of which email originated from their systems.
anx
  • 8,963
  • 5
  • 24
  • 48
2

DKIM is for authenticating the integrity of the message and will very frequently use different domains, as you have observed. To test this, evaluate ham in addition to spam to see how many legitimate senders you will be declaring as spam.

The problem you are attempting to solve is resolved through other standards, such as Sender Policy Framework (SPF) and Domain-based Authentication, Reporting & Conformance (DMARC).

It is why DKIM should not be relied on as the sole means to protect a domain from becoming a spammer's tool.

Paul
  • 3,037
  • 6
  • 27
  • 40