I don't see how I can agree with you. For example, in my case, mail from the nobaloney.net domain may come from our billing provider (we use an external billing service at this time), our domain registration system (which uses LogicBoxes software and runs on their servers) our Certificate issuing system (which runs on Certification Authority's servers), from certain other providers, and even from gmail. They won't be signed by DKIM. Or if they will (I'm not sure and I'm not checking now) they won't be signed by our DKIM. But they're all legitimate and all from us.
Since this was posted a while ago, maybe you now understand better how it works, but I just wanted to add that you don't need to sign all the emails from your domain. A simple change in the DNS entry will indicate that only some of it is signed. This can be re-enforced with ADSP.
Also, regarding this implementation, it's best to usually start in testing mode, in order to avoid being blocked or flagged. Once things are working a 100%, one can switch to production mode.
All the rules for incoming emails simply warn the recipient, so there is no real need for additional rules, but if one wanted to block or delay emails, here are a few tips:
- Use a list of known senders. If an email coming from gmail doesn't have a DKIM signature, "block" it, it's a spoof
- When a signature verification fails, check if the domain sending it is in testing mode. You can then make decisions based on that result.
And if people want more antispam features and Jeff lacks the time to develop his solution further, there is always "spamblocker on steroid", ASSP.