1

Microsoft and GOV.UK recommend creating a record like the following on any domain that doesn’t send email.

TXT    *._domainkey    v=DKIM1;p=

As I understand it, the purpose is to explicitly fail DKIM, rather than leaving open the possibility that real emails from this domain don’t use DKIM.

But I don’t see how it accomplishes that. If the spammer includes an invalid DKIM header, then it’s invalid, not just missing, whether the DNS lookup result is no match or a conflicting match. And if the spammer omits the DKIM header, then a wildcard DNS record doesn’t tell you that there isn’t a valid DKIM record somewhere. It doesn’t communicate that the email should have used DKIM, while the following does:

TXT    _domainkey    o=!

So what is the wildcard invalid DKIM record accomplishing?

twhb
  • 111
  • 2

1 Answers1

2

If you already have a DMARC policy with p=reject stating that either SPF or DKIM must be aligned and pass and a SPF policy with just -all rejecting everything, having this DKIM policy does not really add anything. The SPF will fail for any receiving server checking SPF, and DMARC will fail on servers checking DMARC, because SPF fails and DKIM is always either none or invalid, i.e., never the pass that is required.

This might help in some corner cases with servers checking DKIM without checking DMARC, but that seems rather theoretical.

Esa Jokinen
  • 16,100
  • 5
  • 50
  • 55
  • Setting strict alignment with `adkim=s; aspf=s; p=reject;` in the DMARC record will additionally help trigger alignment mismatches and therefore rejections. It'll also lighten DNS query volume to your servers, which is the only justification I can think of for the odd MS/UK advice. – Adam Katz Jun 22 '22 at 18:53