A missing signature _can_ be assumed to mean forgery, from the moment
the sending domain first advertises that they're signing all
mail. That assumption is only going to be wrong if they cocked up and
advertised _wrongly_ that they're signing all mail when they aren't.
If you want to reject mail with broken or missing signatures,
nothing's going to keep you from doing so. I will be surprised if you
can do so any time soon without rejecting more real mail than you're
willing to lose, but it's up to you.
Like any other spam measure, the longer it's around and the more
widely it's accepted, the more weight you can give to its absence.
Ten years ago you couldn't even reject mail where the return address
had no A or MX. A few years after that, people tried rejecting mail
from sending hosts with no rDNS, and found way too many real senders
(including at least one large ISP that should have known better) whose
mail failed. Now it's perfectly safe to do the first and, other than
mail from a few remote corners of Asia, safe to do rDNS checks, too.
Different people will be more or less aggressive, and as I said in
another message, I expect that we'll find it useful to treat a broken
or missing signature on mail from paypal.com more seriously than one
on mail from bigstateu.edu.
Regards,
John Levine, johnl(_at_)taugh(_dot_)com, Taughannock Networks, Trumansburg NY
http://www.taugh.com