Dňa 14. apríla 2023 11:26:13 UTC používateľ Cyril - ImprovMX via mailop <mailop@mailop.org> napísal:
>What would be the best behavior here? Should we rely on both the SPF AND >DKIM to refuse an email (compared to just the SPF), even if no DMARC are >set? >What is the best approach here? I don't know what is best, but i do that with SPF/DMARC: 1. before DATA i count SPF but i do not reject on SPF base 2. after (at) DATA rspamd checks all (SPF, DKIM & DMARC) and report results 3. in MTA process these results and do appropriate action, if any The "counting" SPF results before DATA i use in my MTA's scoring, thus message (sender) can be rejected, but standalone SPF fail is not enough for that (2 of 6)... To simplify processing rspamd's results in MTA (exim) i setup its "force" actions, thus in MTA i see something final -- the generic result and exact reason, eg. "SPF_REJECT", where SPF related result is given only in case no DMARC at all or DMARC with policy none. It take forwarders into account too. IMO, one cannot use standalone SPF nowadays, as DMARC can bypass/overwrite (with conjunction with DKIM) SPF results, thus can decision on it only after DMARC checking. regards -- Slavko https://www.slavino.sk/ _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
