My current views on using DomainKeys (DKIM) here
Almost five years ago I wrote about my then-new view of DKIM and how we might someday use it ourselves when we'd updated our mailers enough. Well, the mailers have been updated for a while and not only aren't we using DKIM, I'm not inclined to do so any time soon. Prompted by someone here asking for my opinions on DKIM today, here's my current views.
As far as inbound email goes, I've experimented with a Thunderbird extension to verify DKIM signatures, which showed me that a bunch of perfectly good email gets either warnings or outright failures. Given this result it's clear that our inbound mail gateway can't do anything active with DKIM results, like start rejecting or visibly marking such email; the false positives would swamp any genuine benefit or signal that might be present.
In terms of spam and DKIM, I've seen plenty of spam that has DKIM signatures (and I assume they're valid ones). I've also seen plenty that doesn't. If DKIM data provides some sort of useful signal about spam versus non-spam for email, making use of it is best left up to the black box commercial anti-spam system that we use.
(DKIM does have some clear use in anti-spam stuff since it's a component of DMARC and some people are actively using DMARC these days. But for a collection of reasons we're not going to start enforcing other people's DMARC policies on our inbound mail gateway, although the anti-spam system may take that into account when it scores email.)
For outgoing email, my major concern remains what it was before, namely how other people's systems will behave. I simply
don't know how other systems will react to all of our valid DKIM
signed email, email we DKIM signed but that then got changed in
transit, and email '
From:' us but without a DKIM signature from
us. Without confidence that adding DKIM signing will be harmless,
I don't feel any enthusiasm for doing so. At this point I'd probably
only enable DKIM if there was some significant recipient system
that started more or less demanding that we provide it in order to
get our email delivered to them.
(I'm sure that eg GMail would like us to start doing DKIM signing,
but that they'd like us to do that is exactly why I don't want to.
Almost anyone who actively cares about us doing DKIM is going to
use it as input into a spam scoring system, and since we consider
it fully valid to send email
From: our addresses but not through
our machines, the last thing I want to do is enable that particular