Many thanks for your reply, Bill.
Am 24.01.2025 um 23:41 schrieb Bill Cole via Postfix-users:
On 2025-01-24 at 16:56:40 UTC-0500 (Fri, 24 Jan 2025 22:56:40 +0100)
Andreas Kuhlen via Postfix-users <t...@mandogo.de>
is rumored to have said:
Hi, dear list members!
I don't know if I'm asking in the right place, but since opendmarc is
configured as a milter in Postfix, I'll just ask it.
Today I received a mail that did not have a dmarc signature.
2025-01-24T21:52:15.374433+01:00 crosis opendkim[1183]: C01D06003F:
m6.so-net.net.tw [61.64.127.96] not internal
2025-01-24T21:52:15.374574+01:00 crosis opendkim[1183]: C01D06003F:
not authenticated
2025-01-24T21:52:15.387786+01:00 crosis opendkim[1183]: C01D06003F:
no signature data
2025-01-24T21:52:15.402636+01:00 crosis opendmarc[1192]: C01D06003F:
so-net.net.tw none
I have set ‘RejectFailures true’ in /etc/opendmarc.conf. My
expectation was that mails without a dmarc signature would then be
rejected. This does not seem to be the case.
Correct.
DKIM and DMARC are not used universally. For many domains, there is
little to no value in setting up DKIM or DMARC, both of which add
complexity and potential points of failure. Requiring either is a
recipe for rejecting legitimate mail.
I also think that opinions differ on the use of DKIM and DMARC. Maybe
I'll reconsider the use, because I don't want it to be too complicated
for me either. Even though, as far as I know, there have not yet been
any cases of legitimate emails being rejected.
Now my question is whether with my setting only mails are rejected if
the signature check fails - assuming there is one?
Yes, I think that's clear: the setting name and your direct experience
demonstrate that RejectFailure does not reject unsigned messages.
Absence is not failure.
Yes, the name of the setting is really clear - even for me as a
non-native English speaker. And the absence of the DMARC signature is
really not a failure.
In my opinion, DMARC's "RejectFailure true" is an essentially unwise
practice, to the degree that I think it shouldn't be available. DKIM
signatures are very fragile in the real world, so failures are common
on legitimate mail that happens to have encountered one of the many
causes. For example, this mailing list breaks any DKIM signature
applied by the sender. So do MOST mailing lists.
I have also noticed that the sender's DKIM signature is broken in the
mailing list. Which makes it somewhat absurd.
Andreas
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
