We help IT Professionals succeed at work.

What should be done with incoming emails that fail DKIM verification?

Medium Priority
Last Modified: 2010-04-07
Is it wrong to block emails that fail DKIM verification?
Watch Question

See this DKIM FAQ:

DKIM Frequently Asked Questions


I'd say that automatically failing them will only guarantee the delivery of messages that are sent by DKIM participants. That is by no means every legitimate email user who may want to send you email.


Sorry, I don't think I understand what you mean. If you mean that by blocking emails that fail DKIM verification will block legitimate emails that do not use DKIM, then that is absolutely false. If an incoming email is not signed (not using DKIM) then it is impossible to fail DKIM verification. Only emails that implement DKIM (are digitally signed) have DKIM verification performed. Thus if DKIM verification is not performed then it cannot fail. My question is that if an incoming email USES DKIM SIGNING and subsequently fails DKIM verification then should it be blocked.
Sorry. You are correct.

With DKIM a message might fail verification when a sender only signs *some* messages rather than *all* messages.

Since DKIM only defines a signature as taking responsibility for a message and does not make any assertion of correctness of the From: header field, I wouldn't recommend automatically rejecting all messages that fail out of hand.

Better to mark them as Suspicious and verify their legitimacy first. Kinda like quarantining suspected SPAM.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.