> Postfix architecture aside, I think this is bad advice, at least about DKIM. > The premises are false.
Care to elaborate? Clearly, this is not possible to do in postscreen sort of making this moot, but, SPF spec says to reject messages that have status fail. DKIM says you MAY, and, several pieces of software such as dkim-milter allow you to do so. Also, ADSP records seem to have the capability to say please discard this message under various conditions, why shouldn't that be respected? Gmail (at least) already REJECTS mail based on dkim, at least for some domains like ebay.com I suppose to prevent phishing from reaching inbox or spam folders. I am not as familiar with DKIM as I am SPF. It would be helpful to know what specifically is wrong with the premise, and more importantly, why rejecting would be wrong. I realize there are some issues such as modified headers that can cause signature verification errors, however, the dkim-milter at least accounts for this by using the relaxed mode. Anyway, I'd love to know why the premise is wrong, if you have the time to enlighten me!
