DKIM signed email as a signal (of something)

May 19, 2019

Over on Twitter, I said:

So [mimecast.com] bills itself as a cyber-security firm that makes email more secure, and of course the only email I get from them is a spam email, with most of the contents being an brag ad footer for Mimecast itself.

Also, @Mimecast does not DKIM sign outgoing email, so I suspect that it is not going to be so good at being delivered to the increasing number of places that care about that.

(Not our mail server, obviously, for reasons. Mind you, spammers often DKIM sign their email too.)

These days, I have a bias. That bias is that if you are in any sort of 'email as a service' business and you don't sign your outgoing email with DKIM, you are probably not someone I want email from.

This is not because a (valid) DKIM signature means that your email isn't spam. Plenty of spammers put valid DKIM signatures on email these days. Instead it is because increasingly, large email places like GMail and so on are more or less insisting on DKIM signatures from many places. Not DKIM signing your email in the face of this speaks to a certain ignorance of or indifference to the modern practicalities of email, and I don't consider that a good sign. To put it one way, if you're not doing something as pragmatically important as DKIM signatures, what else are you not doing? The answer is unlikely to make me happy.

So far, for me this only applies to places that do email as their business in some way. If email is not part of your product, I don't think it's as much of a gap to leave out DKIM, and anyway there may be complex policy issues around things like DKIM and DMARC.

(Of course you may want to use DKIM, SPF, and DMARC, because the 800-pound gorillas of the email world may more or less require you to do so. But that's a different thing, and also a pragmatic decision for you to make.)

PS: In case you're curious, we don't currently DKIM sign any of our outgoing email, and we will probably never have a strong DMARC policy (this is subject to change, especially if the 800 pound gorillas start insisting; being able to deliver email to GMail is not optional for us). We do have a hand-waving SPF record, which we put in for partially superstitious reasons years ago. I have no idea if it does any good or any harm in general, although I'm sure that there are crazy people using the presence of '?all' in our record as an excuse to reject some email. My view on that is that sooner or later, crazy people will use anything at all to reject email.

(There are probably people today who refuse to accept email unless it's from domains with published strict DMARC policies. That's their choice and hopefully it works for them.)


Comments on this page:

By superkuh at 2019-05-20 17:28:55:

I hope the 800 lb gorillas never insist. Setting up my personal mailserver was hard enough. Eventually I caved and put in some spf records because it was easy. But DKIM signing is not easy. It'd be a shame to see the bar to email lifted so high everyone had to use centralized services.

Written on 19 May 2019.
« Binding keys to actions in xterm, and my bindings as an example
Understanding how to pull in labels from other metrics in Prometheus »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun May 19 21:39:30 2019
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.