On 2025-01-24 at 16:56:40 UTC-0500 (Fri, 24 Jan 2025 22:56:40 +0100)
Andreas Kuhlen via Postfix-users <t...@mandogo.de>
is rumored to have said:
Hi, dear list members!
I don't know if I'm asking in the right place, but since opendmarc is
configured as a milter in Postfix, I'll just ask it.
Today I received a mail that did not have a dmarc signature.
2025-01-24T21:52:15.374433+01:00 crosis opendkim[1183]: C01D06003F:
m6.so-net.net.tw [61.64.127.96] not internal
2025-01-24T21:52:15.374574+01:00 crosis opendkim[1183]: C01D06003F:
not authenticated
2025-01-24T21:52:15.387786+01:00 crosis opendkim[1183]: C01D06003F: no
signature data
2025-01-24T21:52:15.402636+01:00 crosis opendmarc[1192]: C01D06003F:
so-net.net.tw none
I have set ‘RejectFailures true’ in /etc/opendmarc.conf. My
expectation was that mails without a dmarc signature would then be
rejected. This does not seem to be the case.
Correct.
DKIM and DMARC are not used universally. For many domains, there is
little to no value in setting up DKIM or DMARC, both of which add
complexity and potential points of failure. Requiring either is a recipe
for rejecting legitimate mail.
Now my question is whether with my setting only mails are rejected if
the signature check fails - assuming there is one?
Yes, I think that's clear: the setting name and your direct experience
demonstrate that RejectFailure does not reject unsigned messages.
Absence is not failure.
In my opinion, DMARC's "RejectFailure true" is an essentially unwise
practice, to the degree that I think it shouldn't be available. DKIM
signatures are very fragile in the real world, so failures are common on
legitimate mail that happens to have encountered one of the many causes.
For example, this mailing list breaks any DKIM signature applied by the
sender. So do MOST mailing lists.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
