Is there anything bad about DKIM-signing mail without the key in DNS?

dkim

At a site that I manage, we send out emails for many customer domains.

Some of them have our DKIM key in DNS, some don't.

From what I can tell:

Signature verification failure does not force rejection of the message.

But is that actually the case? In the real world can I just sign EVERYTHING with our key (without doing SRS) and be happy?


Solution 1:

But is that actually the case?

Yes.

In the real world can I just sign EVERYTHING with our key (without doing SRS) and be happy?

Yes. It is frequently done with no ill effect. Some MTAs aren't clever enough to sign messages with per-domain DKIM keys and can only operate as you have described, signing everything with a single key. I have personally modified two MTAs to add per-domain DKIM signing support.

Email messages often carry multiple DKIM-Signature headers as they transit the internet. It's not uncommon for an organizations MTA to DKIM sign messages and then relay them to a smarthost at their ISP that also DKIM signs the message. A recipient of that message would thus see both DKIM signatures.

TLDR;

DKIM = DomainKeys Identified Mail. When a receiver validates a DKIM signature, they are merely authenticating the identity of the messages sender. As an example, if an email message arrived bearing a DKIM-Signature header and a d=example.com property, and that DKIM signature passed validation, then the recipient can trust that the message was sent by an organization that:

  • has control of the DNS for example.com
  • was in possession of the DKIM private key for example.com
  • the message hasn't been tampered with in transit

That holds for as many DKIM-Signature headers as the message bears.

Practically nobody rejects emails based on failed DKIM signatures. Being unable to fetch the domains DKIM public key counts as a failure. A significant percentage of valid email streams have broken DKIM signatures, particularly on messages that have transited a mailing list.

DMARC doesn't change DKIM. At all. DMARC = Domain-based Message Authentication, Reporting & Conformance. DMARC is a mechanism for authenticating the sending domain of an email message, as displayed in the From header of the message. DMARC is most effective at combating phishing, as it provides email senders with a reliable means to say, "if the message's Envelope Sender is not aligned with our domain (SPF) or the From message header is not DKIM aligned with our domain, then the message was not sent by us and you should (reject|quarantine|pass) it." DMARC also provides some great reporting features for domain owners. DMARC is commonly used by organizations (banks, large email providers, etc.) that miscreants have incentives to impersonate.

DMARC is thus a policy layer atop DKIM and SPF. When DMARC is in use, it imposes additional alignment requirements upon DKIM and SPF in order to pass DMARC validation. Only DKIM signatures that pass and have a d= property that aligns with the messages From header can yield a DMARC pass result. Each DKIM key can still pass or fail DKIM validation, and the consequences are no different for DKIM before or after DMARC.

Solution 2:

A DMARC policy can change that outcome. DMARC is the combination of SPF and DKIM which alters the disposition.

Related

rsync not deleting Folders in destination
Puppet - removing user who is logged in?
sudo still ask for password when NOPASSWD is used
Retrieve Information from Cisco router in Parsable Manner
Site-to-Site IPsec vpn not sending ping across a tunnel
Joining a Linux host to Active Directory unattended
VMware FT, App HA: What happens if vCenter Server is offline?
Best way to secure Kickstart encrypted partition passwords
Can I force a Windows Server 2008 DNS Conditional Forwarder to use TCP Only?
every minute - possible SYN flooding on port 80
How to reload environment variables file in a running Docker container
Will a SSD storage perform like a magnetic for small root volumes in AWS EC2?