With DKIM however, I need to know which selector they used when signing their email; if a failure occurs, the SMTP log just records that failure but no details; I'm wondering if either of the two possibilities below make sense:
(1) include a separate DKIM log where incoming / outgoing could be checked (as with other log options), and be able to record the public DKIM record specified by (for SMTP) the incoming email and (for outgoing mail) the one used by AMS to sign sent mail.
(2) just include the selector used upon DKIM check (regardless of success / failure) in SMTP logs, so the record on a fail / permerror could be something like
Wed, 20 Nov 2024 17:24:59 -> 40.107.92.116 -> Failed: Action=[DKIM], Details=[Result=FAIL, Selector=<selector>]
There are a couple of sites that do archive past DKIM records, but so far they've largely been unhelpful - I don't necessarily want to quarantine rather than reject DKIM fails/permerrors as bad mails would be expected to have this behavior also, but for 'legit' senders I need the selector value to be able to look up their record, and I don't have the header without turning on debugging for the entire SMTP log, which is...well a bit much for what i ultimately need
not sure if the info is available in ####DKIMRESULTDETAIL####?Being able to, say, log the header for any DKIM fails / permerrors in a separate log file with the full header would be perfect, not sure if that can be easily done with the custom events SPAM-DKIM-FAIL and SPAM-SPF-PERMERROR?
Mostly it would help in assisting legit senders fix whatever the specific condition was, and narrowing it down would be a big help. A lot of these tend to be MSP / hosted mail solutions where the actual users have 0 control over configurations and/or don't know much about email mechanics, and pointing them in the right direction quickly is something i tend to do fairly frequently with SPF issues for their domain already.