RE: Using results of dkim for gmail

From: Martijn Grooten <martijn.grooten_at_virusbtn.com>
Date: Thu, 11 Aug 2011 12:23:00 +0100

> My understanding is that gmail ALWAYS signs messages via dkim, as does
> ebay and paypal. In 2008, gmail started blocking ebay and paypal
> messages that did not pass dkim checking. I'd like to do something
> similar. So, is there any flaw if I decide to:
>
> If an email comes from gmail or ebay or paypal, and, it has no dkim
> signature, reject the message
>
> Note, I didn't even say it had to pass. It would seem that there should
> be no chance of it not being signed, right? So, any message meeting my
> criteria is 100% forged.

I know of at least on (proprietary) spam-filter that did just that: blocking/discarding messages claiming to come from Gmail with no DKIM-signature at all.

Then they stopped doing it, because Gmail did not sign Gmail-to-Gmail messages and when the recipient had set a forwarding rule, the message still wasn't signed.

This has since been fixed (I just verified - Gmail does now sign Gmail-to-Gmail messages, as does it sign) but because of an edge case like this I would be hesitant to assume Gmail signs all messages, just because it looks like they do.

Just my two cents...

Martijn.


Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.
Received on Thu Aug 11 2011 - 11:23:18 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:19 PST