Some DKIM usage statistics from our recent inbound email (October 2018 edition)

October 22, 2018

By this point in time, DKIM (Domain Keys Identified Mail) has been around for long enough and enough large providers like GMail have been pushing for it that it has a certain decent amount of usage. In particular, a surprising number of sources of undesirable email seem to have adopted DKIM, or at least they add DKIM headers to their email. Our Exim setup logs the DKIM status of incoming email on our external MX gateway and for reasons beyond the scope of today's entry I have become interested in gathering some statistics about what sort of DKIM usage we see, who from, and how many of those DKIM signatures actually verify.

All of the following statistics are from the past ten days of full logs. Over that time we received 105,000 messages, or about 10,000 messages a day, which is broadly typical volume for us from what I remember. Over this ten day period, we saw 69,400 DKIM signatures, of which 55 were so mangled that Exim only reported:

DKIM: Error while running this message through validation, disabling signature verification.

(Later versions of Exim appear to log details about what went wrong, but the Ubuntu 16.04 version we're currently using doesn't.)

Now things get interesting, because it turns out that a surprising number of messages have more than one DKIM signature. Specifically, roughly 7,600 have two or more (and the three grand champions have six); in total we actually have only 61,000 unique messages with DKIM signatures (which still means that more than half of our incoming email had DKIM signatures). On top of that, 297 of those messages were actually rejected at SMTP time during DATA checks; it turns out that if you get as far as post-DATA checks, Exim is happy to verify the DKIM signature before it rejects the message.

The DKIM signatures break down as follows (all figures rounded down):

62240 verification succeeded
3340 verification failed - signature did not verify (headers probably modified in transit)
2660 invalid - public key record (currently?) unavailable
790 verification failed - body hash mismatch (body probably modified in transit)
310 invalid - syntax error in public key record

Of the DKIM signatures on the messages we rejected at SMTP time, 250 had successful verification, 45 had no public key record available, 5 had probably modified headers, and two were mangled. The 250 DKIM verifications for messages rejected at SMTP time had signatures from around 100 different domains, but a number of them were major places:


(I see that Yahoo is not quite dead yet.)

There were 5,090 different domains with successful DKIM verifications, of which 2,170 had only one DKIM signature and 990 had two. The top eight domains each had at least 1,000 DKIM signatures, and the very top one had over 6,100. That very top one is part of the university, so it's not really surprising that it sent us a lot of signed email.

Overall, between duplicate signatures and whatnot, 55,780 or so of the incoming email messages that we accepted at SMTP time had verified DKIM signatures, or just over half of them. On the one hand, that's a lot more than I expected. On the other hand, that strongly suggests that no one should expect to be able to insist on valid DKIM signatures any time soon; there are clearly a lot of mail senders that either don't do DKIM at all, don't have it set up right, or are having their messages mangled in transit (perhaps by mailing list software).

Among valid signatures, 46,270 were rsa-sha256 and 15,960 were rsa-sha1. The DKIM canonicalization (the 'c=' value reported by Exim) breaks down as follows:

 51470  c=relaxed/relaxed 
  9440  c=relaxed/simple 
  1290  c=simple/simple 
    20  c=simple/relaxed

I don't know if this means anything, but I figured I might as well note it. Simple/simple is apparently the default.

Comments on this page:

By Greg A. Woods at 2018-10-23 12:37:38:

Is there any notable pattern suggesting how/why so many messages have multiple signatures? Is it by any chance due to mailing lists?

What do you do when signatures are rejected as invalid? What if there are multiple signatures but at least one is valid and one invalid?

By cks at 2018-10-23 13:17:33:

I'll have to do some more work to analyze the multi-signature messages. As far as what we do, I should have said this explicitly; at the moment the only thing we do with DKIM signatures is let Exim log them. We don't reject or filter on them ourselves, although it's possible DKIM signatures now factor into the calculations made by our black-box commercial anti-spam program (it's Sophos PureMessage).

(That our Exim logs DKIM verification and doesn't currently say anything about SPF or DMARC state is one reason why I'm only analyzing DKIM here. It's right there in the logs, so I don't have to do anything special.)

Written on 22 October 2018.
« Using group_* vector matching in Prometheus for database lookups
ZFS scrubs check (much) less than you probably think they do »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Oct 22 23:15:41 2018
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.