> What do we do when there is no signature and no d= domain to
> work with?
> This is sort of hazy in my mind.
You do anything you want to do. Perhaps more correctly, you do what
you're doing now. If there's no signature, it's not a DKIM message.
Even if my policy states that it must be signed?
Whoa, whoa. Hang on. A signing policy is something that exists for
the *receiver*. If you get a message that has no signature, your
policy doesn't come into play. The *sender's* policy comes into play.
You are permitted to go out and look at their policy. Heck, you're
*encouraged* to. But the Internet Police aren't going to remove your
routes if you're running an old mailer that doesn't speak DKIM.
The sender's policy states what they want you to do if there's no
signature. If that policy says that their messages must be signed,
they're saying they want you to black-hole that message (insert small
hand-wave here in the interest of simplicity).
In the absence of DKIM, you have a responsibility to deliver that
message. (Again, insert a small handwave here, ignoring spam filters,
etc.) The combination of DKIM and SSP is a statement that absolves
you of that responsibility. It's actually states a desire on the part
of that alleged sender that they want you to treat it as if it were a
Now, there is no reason why your mail system can't have a setting
that says to put messages failing SSP in a special maildir. Or to do
some other thing, too.
NOTE WELL: This list operates according to